2

This is an Edit - according to the comments, I may have not been understood/

Facts:

  • I have a Windows 2003 Domain
  • PDC Emulator is enabled and working correctly on my DC
  • I have a GPO that is NOT working correctly
  • I WANT my clients to sync with the PDC Emulator that is on my DC (W2K3)
  • I want my DC to sync with an external NTP server

This is the GPO that is currently the NTP GPO

Policy Setting 
Configure Windows NTP Client Enabled 
NtpServer 0.asia.pool.ntp.org,0x1 
Type NT5DS 
CrossSiteSyncFlags 2 
ResolvePeerBackoffMinutes 15 
ResolvePeerBackoffMaxTimes 7 
SpecialPollInterval 3600 
EventLogFlags 0 

Policy Setting 
Enable Windows NTP Client Disabled

Question 1:

  • If I simply disable the linked NTP GPO - Will my clients return to the default settings (assuming a gpupdate /force is needed) - Will they return - actually they will continue to sync to/with the same server, but just with NO GPO. - Is that correct?

  • If the answer to Q1 is NO, is there anything special I need to do on the domain?

Question 2: (sorry for not opening a new question)

  • I discovered that I have this line on our domain profile login script (login.cmd) set in the login script for the profile of each user:

    REM ----------------------------------- Set Local time to domain time net time /domain:domainserver /set /y

Should/Can I delete it? I think it's a legacy command that was left. please advise, thanks

Thank you, I hope this edit cleared some points.

Saariko
  • 1,791
  • 14
  • 45
  • 75
  • Did you mean PDC Emulator? – Sergei Dec 28 '11 at 10:15
  • Also I hope you remember that if time between logon server and workstation is skewed by more than 5 minutes , you will not be able to logon due to the way Kerberos implementation works on Windows domain. – Sergei Dec 28 '11 at 10:17
  • Thanks, Yes, I meant PDC Emulator, it's working on the DC. As for your 2nd comment, I am not planning to cancel all, but if I don't need to set anything for my clients, I prefer it this way. thanks – Saariko Dec 28 '11 at 10:43
  • Why would you not sync the clients time with the PDC? As Sergei said, by default, a time skew of more than 5 minutes between client and server authentication attempts will fail. That means: the entire domain can be hours off, and clients will still be able to authenticate, as long as the clients and DC's are in sync. This is the reason that Microsoft recommends the domain NTP Hierarchy, in which the PDC Emulator is the highest NTP authority in the domain, and all clients should use it as time source – Mathias R. Jessen Dec 28 '11 at 15:08
  • I re-edit my Q, I think I was not clear according to your comments. Thanks – Saariko Dec 29 '11 at 14:07

1 Answers1

1

The policy you have listed should only be applied to the PDC. In fact, since only one server in your domain is the PDC, I don't even recommend using this GP setting, but instead, set it in the registry directly on the PDC DC (shameless plug for my blog entry on how to do this: http://wp.me/pZ5Rx-3v). If you insist on doing this via Group Policy, be sure to target the GPO to ONLY the PDC DC (no other computers, not even other DCs). If the policy is applied to other machines, they will all act as NTP clients, contacting the NTP server directly.

By default, domain-joined clients are set to use the Windows Time Service. So, once you clear out this GPO, the domain clients should revert to Windows Time Service automatically.

As for the command in the login script, you won't need it once you clean up the GPO, so it's safe to remove. It was likely put there by the person who originally crafted the GPO, since they couldn't figure out how to get the clients to use the PDC for time...

newmanth
  • 3,943
  • 4
  • 26
  • 47
  • Thank you, I did as you suggest: removed the GPO, the CMD line, and completed your guide. howevr, still when I do: w32tm /monitor (even from my PDC) I get the answer that it checks time with itself. – Saariko Jan 03 '12 at 13:41
  • This is a Computer Configuration GPO, so you may need to force the change. First, run gpupdate /force to ensure policy is updated, then stop/start the w32time service on the PDC: net stop w32time && net start w32time – newmanth Jan 03 '12 at 15:16
  • Oh, and to clarify, the PDC will still show that it checks time with itself when you run w32tm /monitor. To verify that it's using NTP, run w32tm /query /computer: /status. It should state 'syncd by (S)NTP' in the 'Stratum' line and your source to be the NTP server you configured. – newmanth Jan 03 '12 at 15:35