1

I am looking for a PowerShell script that I run one time only on the DC. I found w32tm but I don't know how to use it. Thanks in advance!

user171447
  • 13
  • 3
  • 7

3 Answers3

4

On your PDCe, and only on your PDCe FSMO role holder, you should sync with an external time source, by issuing a command such as this:

w32tm /config /manualpeerlist:"0.us.pool.ntp.org,0x8 1.us.pool.ntp.org,0x8" /syncfromflags:manual /reliable:yes /update

You can choose your own NTP servers of course. The 0x8 flag tells WIndows Time to operate in "client" mode, i.e., it shall only act as a client to pool.ntp.org servers.

All of your other Active Directory domain members automatically use the AD domain controller selection process to automatically find an NTP server. You should never need to manually configure Windows Time on your domain members. (Or other domain controllers that aren't the PDCe.)

If you already have, and just want to return them to default configuration, then do

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
4

I don't use use w32tm, powershell or any tool. Instead configure NTP via group policies.

I create one policy called 'Configure NTP on PDC Emulator' in the Domain Controllers OU, and use security filtering to apply it only to the PDC emulator. Leave everything else at the default.

The Windows time settings are under Computer Configuration\Administrative Templates\System\Windows Time Service and Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers. You need to configure at least the Configure Windows NTP Client, Enable Windows NTP Client, you may also want to tweak things under Global Configuration Settings and to Enable Windows NTP Server.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • 1
    The only thing that would make me wary of this approach is that there is no way to target the PDCe through GPO security filtering. So if your PDCe ever changes, your current admins must remember these past changes that you obviously documented so well. ;) – Ryan Ries Feb 27 '15 at 03:57
  • 1
    I don't see any way to get beyond the fact that the sysadmin must know what they are doing when move the PDC emulator role. The admin has to remember to issue the CLI commands you mentioned also. The advantage the GPO has is that using a technology that most Windows Admins will have a lot of experience with. With the GPO policy the admin arguably has to remember less, they don't need to know what they used for NTP servers, or the various settings they used. They simply need to document/remember to adjust the security filtering. – Zoredache Feb 27 '15 at 18:13
  • 2
    @RyanRies You can use a WMI filter on the group policy to target the PDCe role like so: 'Select * from Win32_ComputerSystem where DomainRole=5'. The DomainRole=5 is only valid on DC holding the PDCe role. See https://msdn.microsoft.com/en-us/library/aa394102(v=vs.85).aspx – Cory Plastek Mar 01 '15 at 18:50
  • @CoryPlastek Good idea, and Zoredache, valid point. – Ryan Ries Mar 01 '15 at 18:55
  • How would I go about setting the configuration on multiple non-domain-member machines? Logging to every single one of them and firing up group policies UI is PITA. – wilx Feb 08 '16 at 10:42
  • If you must do it manually, then you probably want to look at @RyanRies's answer. – Zoredache Feb 08 '16 at 17:37
0

USE WMI Filtering to target GPOs for advanced settings like this.

Example below.

https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/

brokensyntax
  • 1
  • 1
  • Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Jenny D Nov 18 '17 at 07:38