Configure NTP Time Sync Using Group Policy

The Windows Time service (despite its apparent simplicity) is the basis for the normal functioning of Active Directory domain. In properly configured AD environment Time service operates as follows: users computers receive the exact time from the nearest domain controller which they are registered, all domain controllers request time from single DC with FSMO role PDC Emulator.

PDC Emulator (Primary Domain Controller) synchronize time with an external time source. The external time source is usually one or more NTP servers, like time.windows.com or NTP-server of your provider. Please note that by the default time is provided to clients using Windows Time service (instead of native NTP).

If you are facing a problem when time on clients and domain controllers is different, most likely your domain has a problem with time synchronization and then this article can be very useful for you.

First of all, it is necessary to select an NTP server that you want to use. The list of public NTP atomic clock servers is available at http://ntp.org. In our example, we use: 0.us.pool.ntp.org, 1.us.pool.ntp.org, 2.us.pool.ntp.org and 3.us.pool.ntp.org

Configuring domain time synchronization using Group Policy consists of 2 steps:

  1. Create a GPO for the domain controller with PDC role;
  2. Create a GPO for network clients.

Configure NTP Group Policy for PDC DC

At this step, you need to configure your domain controller with the role of PDC Emulator to synchronize with an external source. PDC Emulator role can be moved between domain controllers, so we need to make sure that GPO applied only to the current holder of the Primary Domain Controller role. To do this, using Group Policy Management Console (GPMC.msc) select WMI Filters section and create a new WMI filter with name Filter PDC Emulator and query Select * from Win32_ComputerSystem where DomainRole = 5.

domain role ntp group policy

Create a new GPO and link it to the OU named Domain Controllers.

gpo time sync

Select created GPO and switch to the Edit mode. Go to the following section of Group Policy Editor Console:  Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.

We are interested in the following policies:

  • Configure Windows NTP Client: Enabled (policy settings are described below)
  • Enable Windows NTP Client: Enabled
  • Enable Windows NTP Server: Enabled

group policy ntp

Specify following settings in Configure Windows NTP Client policy:

  • NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1;
  • Type: NTP;
  • CrossSiteSyncFlags: 2;
  • ResolvePeerBackoffMinutes: 15;
  • Resolve Peer BAckoffMaxTimes: 7;
  • SpecilalPoolInterval: 3600;
  • EventLogFlags: 0.

Note. Do not forget to configure the firewall properly and allow PDC access to external NTP servers over NTP protocol (UDP port 123).

gpo ntp client

Assign a WMI filter Filter PDC Emulator that you created earlier to the GPO.

gpo ntp client settings

Tip. You can locate current PDC server using the command: netdom query fsmo

It remains to update the policy on PDC:

gpupdate /force

Manually start time synchronization:

w32tm /resync

And check the current NTP settings:

w32tm /query /status

Tip. If something does not work, try restarting the Windows Time service and clear its configuration

net stop w32time
w32tm.exe /unregister
w32tm.exe /register
net stop w32tim

Configure Client Time Sync Settings using Group Policy

By default in Active Directory domain environment clients synchronize their time with domain controllers (option Nt5DS synchronize time to domain hierarchy). Typically, this behavior does not need to be reconfigured, however, if there are problems with time sync on domain clients, you can try to specify the time server directly on clients using GPO.

To do this, create a new GPO and assign it to the OU with computers. In the GPO Editor go to Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers and enable policy Configure Windows NTP Client.

group policy time server

As an NTP server specify the name or IP address of the PDC:  lon-dc1.adatum.com, 0x9

Set authentication type: NT5DS

Update group policy settings on the clients and check received time sync settings as described above.

Cyril Kardashevsky

14 comments

  1. One or more Network Time Protocol (NTP) servers have been incorrectly defined on the PDC emulator. Do you have any suggestions?

    The PDC (DC1) is showing the “state” in Pending. This is not the case for DC2 (which is active).

    Peer: 1.us.pool.ntp.org.0x1,
    State: Pending
    Time Remaining: 42611.2161762s
    Mode: 0 (reserved)
    Stratum: 0 (unspecified)
    PeerPoll Interval: 0 (unspecified)
    HostPoll Interval: 0 (unspecified)

    The event log error is “NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ‘us.pool.ntp.org.0x1.”

    1. C:\Windows\system32>w32tm /stripchart /computer:1.us.pool.ntp.org
      Tracking 1.us.pool.ntp.org [129.6.15.30:123].
      The current time is 4/6/2018 10:52:38 AM.
      10:52:38 error: 0x800705B4
      10:52:41 error: 0x800705B4
      10:52:44 d:-00.0000006s o:+27.2452328s [ |
      @]
      10:52:46 d:-00.0000008s o:+27.2451255s [ |
      @]
      10:52:49 error: 0x800705B4
      10:52:52 error: 0x800705B4
      10:52:55 error: 0x800705B4
      10:52:58 error: 0x800705B4
      10:53:01 error: 0x800705B4
      10:53:04 error: 0x800705B4
      10:53:07 error: 0x800705B4
      10:53:10 d:-00.0000008s o:+27.2458764s [ |

    2. This may be a typo fromwhen this was put on the web, but:
      Peer: 1.us.pool.ntp.org.0x1,

      It’s a comma, not a period between ORG and the ox1
      The ‘0x1’ is a flag value, and not part of the DNS name. The way it is entered here however, the server is going to think the DNS name is 1.us.pool.ntp.org.0x1 without a flag value.

  2. Thanks. This helped me figure out why and how to get my time sync corrected. I did end up using “pool.ntp.org” for my source but everything else was just what the doctor ordered.

  3. Good article but I was getting this error: “The computer did not resync because no time data was available.”

    Found that the NTP Server list is not the right format. The NTP server list should be: us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1

    It now works perfectly :D

  4. This is an excellent article but you should correct the typos in the NtpServer: us.pool.ntp.org.0x1
    You entered “.0x1” folllwing “.org” but it should be “,0x1” otherwise this will result in unresponsive DNS queries

  5. So I have been reading a lot of instructions for this setup for the PDC configuration part. This article references 0x1 as a flag but the example in the GPO uses 0x9 as the flag (time.windows.com,0x9) and I see other articles with similar configuration that also reference using the 0x9 flag. Which is the correct flag to use for the PDC that gets its time from NTP internet servers such as the pool.ntp.org servers?

    (Also, this article still needs to correct the comma before the 0x1 flag instead of a period in the NTP server listings).

  6. I am finding this info very helpful in understanding the basic approach to creating Domain time syncing. I have not be able to resolve the issues I have though. Does NT5DS reside in a GPO for clients to have it added for membership? My networking staff expect the Forest to be configured to use NT5DS by default with no modifications and everything suggested to fix the issue revolves around Windows Time at the client. A bit of explanation of my issue, I have some PCs that are specialized in our network that we do not join to the normal set of GPOs and they are the PCs that don’t time sync. I have found Windows Time service disabled but even after enabling it the PCs do not sync. W32TM /query /status returns results that time sync has never occurred. W32TM /query /configuration reveals that the PCs have no DC server designated for time sync. I can’t find a GPO in my forest that has a time sync function. Another wierd thing I found is that the problemed PCs will not run NETDOM either.

  7. Is it possible to correct the original information so the comments below the article are incorporated back into the original article.

    i.e.:

    NtpServer: us.pool.ntp.org,0x9 1.us.pool.ntp.org,0x9 2.us.pool.ntp.org,0x9 3.us.pool.ntp.org,0x9;
    Type: NTP;
    CrossSiteSyncFlags: 2;
    ResolvePeerBackoffMinutes: 15;
    Resolve Peer BAckoffMaxTimes: 7;
    SpecilalPoolInterval: 3600;
    EventLogFlags: 0.

  8. Does anyone have a method to allow AD clients to sync to an Internet time source when they aren’t connected to the corporate network?

    1. Chris,

      In my experience, it works to apply the policy The IT Bros suggest above for PDC DC, to AD clients. I have a private/internal time server (let’s call it pvtntpserver.mydomain) configured much as this post suggests for PDC DC (but the server isn’t a DC). For AD clients, my NtpServer setting/list looks like: pvtntpserver.mydomain,0x1 0.something.pool.ntp.org,0x1 1.something.pool.ntp.org,0x1 2.something.pool.ntp.org,0x1 3.something.pool.ntp.org,0x1
      Otherwise, my AD client Windows NTP Client Group Policy config is as this post recommends for PDC DC. Of course, make sure the policy is linked to an OU where the policy will apply to your AD clients. This seems to work fine for me.

  9. Can someone please help me on how to sync to NTP server that we recently setup? We setup NTP server on CentOS7 but have not joined in our domain. Just want to use the server IP to sync.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.