group policy

Configure NTP Time Sync using Group Policy


The Windows Time service (despite its apparent simplicity) is the basis for the normal functioning of Active Directory domain. In properly configured AD environment Time service operates as follows: users computers receive the exact time from nearest domain controller which they are registered, all domain controllers request time from single DC with FSMO role PDC Emulator.

PDC Emulator (Primary Domain Controller) synchronize time with an external time source. The external time source is usually one or more NTP servers, like time.windows.com or NTP-server of your provider. Please note that by default time is provided to clients using Windows Time service (instead of native NTP).

If you are facing with a problem when time on clients and domain controllers is different, most likely your domain have a problem with time synchronization and then this article can be very useful for you.

First of all it is necessary to select an NTP server that you want to use. The list of public NTP atomic clock servers are available at http://ntp.org. In our example we use: 0.us.pool.ntp.org, 1.us.pool.ntp.org, 2.us.pool.ntp.org and 3.us.pool.ntp.org

Configuring domain time synchronization using Group Policy consists of 2 steps:

  1. Create a GPO for the domain controller with PDC role
  2. Create a GPO for network clients
READ ALSO  Windows Detected a Hard Disk Problem Solution

Configure NTP Group Policy for PDC DC

At this step you need to configure your domain controller with the role of PDC Emulator to synchronize with an external source. PDC Emulator role can be moved between domain controllers, so we need to make sure that GPO applied only to the current holder of Primary Domain Controller role. To do this, using Group Policy Management Console (GPMC.msc) select WMI Filters section and create new WMI filter with name Filter PDC Emulator and query Select * from Win32_ComputerSystem where DomainRole = 5.

domain role ntp group policy

Create new GPO and link it to the OU named Domain Controllers.

gpo time sync

Select created GPO and switch to the Edit mode. Go to following section of Group Policy Editor Console:  Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

We are interested in the following policies:

  • Configure Windows NTP Client: Enabled (policy settings are described below)
  • Enable Windows NTP Client: Enabled
  • Enable Windows NTP Server: Enabled

group policy ntp

Specify following settings in Configure Windows NTP Client policy:

  • NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
  • Type: NTP
  • CrossSiteSyncFlags: 2
  • ResolvePeerBackoffMinutes: 15
  • Resolve Peer BAckoffMaxTimes: 7
  • SpecilalPoolInterval: 3600
  • EventLogFlags: 0

Note. Do not forget to configure firewall properly and allow PDC access to external NTP servers over NTP protocol (UDP port 123).

gpo ntp client

Assign a WMI filter Filter PDC Emulator that you created earlier to the GPO.

READ ALSO  Deploy Printers in Domain using Group Policy

gpo ntp client settings

Tip. You can locate current PDC server using command: netdom query fsmo

It remains to update the policy on PDC:

gpupdate /force

Manually start time synchronization:

w32tm /resync

And check the current NTP settings:

w32tm /query /status

Tip. If something does not work, try restarting the Windows Time service and clear its configuration

net stop w32time
w32tm.exe /unregister
w32tm.exe /register
net stop w32tim

Configure Client Time Sync Settings using Group Policy

By default in Active Directory domain environment clients synchronize their time with domain controllers (option Nt5DS synchronize time to domain hierarchy). Typically, this behavior does not need to be reconfigured, however, if there are problems with time sync on domain clients, you can try to specify time server directly on clients using GPO.

To do this, create a new GPO and assign it to the OU with computers. In the GPO Editor go to Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers and enable policy Configure Windows NTP Client.

group policy time server

As an NTP server specify the name or IP address of the PDC:  lon-dc1.adatum.com,0x9

Set authentication type: NT5DS

Update group policy settings on the clients and check received time sync settings as described above.


You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
How to Allow Saved Credentials for RDP Connection When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Event ID 7000 – Service Control Manager If you landed here you are probably receiving the following error: The Diagnostic Service Host service failed to start due to the following error:...
How to configure Microsoft Edge Settings Using Gro... With the release of Windows 10, Microsoft also introduced its new default web-browser Microsoft Edge. Let's try to figure out whether it is possible t...