I know by default domain members sync time to the domain controller. However computers can be set later to pull time from an external source and then cause problem. How can this be fixed in Group Policy so that domain members always sync back to the domain controller and that that the domain controller syncs from hardware?
There is a pretty good article on MSDN Blogs that describes how to configure Windows Time Service using Group Policy.
Group Policy Settings Explained - Windows Time Service (blogs.msdn.com)
By default, unless you've modified it, all DC's sync to the PDC emulator, and clients will sync to the DC's in the closest site defined to them in sites and services. The PDC emulator should be synced to an upstream time source. I've NEVER had to make a policy change on the client policies.
You'll find those policies under:
computer configuration -> policies -> administrative templates -> system -> windows time service -> time providers
There you can configure which ntp server should be used in the first "NtpServer" field.
NtpServer: The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where flags is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings (http://go.microsoft.com/fwlink/?LinkId=139727). The default value is "time.windows.com,0x09".
And the setting you're looking for would probably be:
CrossSiteSyncFlags: This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site.