I want to configure the Time Service using only GP in a Server 2008 R2 domain. I have created a GP as follows:
Computer Config, Policies, Administrative Templates, System, Windows Time Policy:
=Global Configuration Settings -Enabled w/ default settings.
Computer Config, Policies, Administrative Templates, System, Windows Time Policy,Time Providers:
=Configure Windows NTP Client -Enabled w/ default settings.
=Enable Windows NTP Client -Enabled w/ default settings.
=Enable Windows NTP Server -Enabled w/ default settings.
The policy is linked, enforced and applied to Domain Controllers OU. The GP modeling results shows the policy is in effect on the DC (Single DC domain) and the DC is recognized as the PDC emulator. I have run gpupdate /force and logged off/on.
The issue is that the DC shows the time source as internal. I understand I can force this at the cmd line using w32tm to set the peer but I would like to understand what is missing in the GP. The default NTP Client GP setting includes time.windows.com,0x9 as the source but it does not appear to be taking effect.
EDIT: Requested output:
C:\Users\xxxxx>w32tm /query /configuration [Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Policy)
MaxPollInterval: 10 (Policy)
MaxNegPhaseCorrection: 172800 (Policy)
MaxPosPhaseCorrection: 172800 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 50000000 (Policy)
SpikeWatchPeriod: 900 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 100 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
EDIT: GP Results
System/Windows Time Service
Policy Setting Winning GPO
Global Configuration Settings Enabled FIT DC Time Policy
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 50000000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 172800
MaxPosPhaseCorrection 172800
PhaseCorrectRate 1
PollAdjustFactor 5
SpikeWatchPeriod 900
UpdateInterval 100
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 10
MinPollInterval 6
ChainEntryTimeout 16
ChainMaxEntries 128
ChainMaxHostEntries 4
ChainDisable 0
ChainLoggingRate 30
System/Windows Time Service/Time Providers
Policy Setting Winning GPO
Configure Windows NTP Client Enabled FIT DC Time Policy
NtpServer time.windows.com,0x9
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 0
Policy Setting Winning GPO
Enable Windows NTP Client Enabled FIT DC Time Policy
Enable Windows NTP Server Enabled FIT DC Time Policy
By default, all domain clients will look to the domain controllers for authoritative time. There is no need to set up a GPO to do this.
I don't recommend that you set each client to go directly to an NTP server for time. Kerberos authentication is dependent on your DCs and clients being in sync with each other, so it's better that clients get their time from the DCs themselves.
Now, if you want your domain to be sync'd to an external calibrated source using NTP, you should configure this at the DC that holds the PDC emulator role. See http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspx which gives you instructions on how to peer the PDC to an NTP service.
We do this with our domain, connected to some internal Symmetricom NTP servers. Average error on clients runs +/-0.1 s. If you need higher precision than this, you'll need specialized third party software on the clients.
Ok. Thanks for the data. I see that you have GPOs for both client and server. The notion of NTP client and NTP server are different than Windows servers and clients. So, first, I recommend getting rid of the server settings. These are used for a machine that will serve NTP requests. In a domain, time is provided to clients using Windows Time Service, NOT NTP.
In your situation, your DC is the NTP client, as it is receiving its data from an external NTP server. So the policy should only be defined for client settings.
Next, change your time providers GPO setting to type NTP, instead of NT5DS.
Do a gpupdate and run the w32tm configuration query again.
To summarize:
- Enable Windows NTP Client Enabled
- Enable Windows NTP Server Not Configured
- Configure Windows NTP Client | Ntp Server (NTP Server Name),0x9 (The 0x9 is a flag that designates the NTP Server as being primary.
- Configure Windows NTP Client | Type NTP
I tested this on our lab domain and it appears to work. When you run the w32tm configuration query, it should show Type: NTP and NtpServer: (NTP Server Name) in the [Time Providers] section.
Have you checked whether your firewall has port 123 outbound opened. I was having the same kind of issues and it turned out to the firewall was blocking the DC from contacting the NIST servers.