(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)
Posted by Jorge on 2010-09-26
In the previous post (part 1) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role manually. The commands mentioned in that post must be executed on DC in the forest root AD domain hosting the PDC FSMO role. To prevent these manual actions, it is also possible to achieve the same result after a one-time configuration in AD through GPOs and a WMI filter. Perform the following tasks.
[Task 1] – Create a WMI filter to only target the DC with the PDC FSMO role.
In the GPMC create a WMI filter with the following configuration (without the single quotes):
- WMI Filter Name: "RWDC With The PDC FSMO role" (can be something else of course)
- WMI Filter Description: ‘This WMI filter targets the DC with the PDC FSMO Role’ (can be something else of course)
- WMI Filter Namespace: ‘rootCIMv2’
- WMI Filter Query: ‘Select * from Win32_ComputerSystem where DomainRole = 5’
–
[Task 2] – Create a GPO and link it to the Domain Controllers OU to target all DCs. Make sure it is applied after the GPO called "Default Domain Controllers Policy".
In the GPMC create a GPO with following configuration (without the single quotes):
-
GPO Name: "GPO_C_All-Domain-Controllers" (can be something else of course)
-
GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
-
GPO Setting: "Global Configuration Settings" = Enabled
- GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
- GPO Setting Item: "HoldPeriod" = 5 (default value)
- GPO Setting Item: "LargePhaseOffset" = 50000000 (default value)
- GPO Setting Item: "MaxAllowedPhaseOffset" = 300 (default value)
- GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
- GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
- GPO Setting Item: "PhaseCorrectRate" = 7 (default value) (The GPO shows "1", but in reality the default value is "7"!)
- GPO Setting Item: "PollAdjustFactor" = 5 (default value)
- GPO Setting Item: "SpikeWatchPeriod" = 900 (default value)
- GPO Setting Item: "UpdateInterval" = 100 (default value)
- GPO Setting Item: "AnnounceFlags" = 10 (default value)
- GPO Setting Item: "EventLogFlags" = 2 (default value)
- GPO Setting Item: "LocalClockDispersion" = 10 (default value)
- GPO Setting Item: "MaxPollInterval" = 10 (default value)
- GPO Setting Item: "MinPollInterval" = 6 (default value)
- GPO Setting Item: "ChainEntryTimeout" = 16 (default value)
- GPO Setting Item: "ChainMaxEntries" = 128 (default value)
- GPO Setting Item: "ChainMaxHostEntries" = 4 (default value)
- GPO Setting Item: "ChainDisable" = 0 (default value)
- GPO Setting Item: "ChainLoggingRate" = 30 (default value)
- GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
-
-
REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.
–
[Task 3] – Create a GPO and link it to the Domain Controllers OU to target only the DC with the PDC FSMO role. Make sure it is applied after the GPO called "GPO_C_All-Domain-Controllers".
In the GPMC create a GPO following configuration (without the single quotes):
-
GPO Name: "GPO_C_RWDC-With-PDC-FSMO-Role" (can be something else of course)
-
GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
-
GPO Setting: "Global Configuration Settings" = Enabled
- GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
- GPO Setting Item: "HoldPeriod" = 5 (default value)
- GPO Setting Item: "LargePhaseOffset" = 50000000 (default value)
- GPO Setting Item: "MaxAllowedPhaseOffset" = 300 (default value)
- GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
- GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
- GPO Setting Item: "PhaseCorrectRate" = 7 (default value) (The GPO shows "1", but in reality the default value is "7"!)
- GPO Setting Item: "PollAdjustFactor" = 5 (default value)
- GPO Setting Item: "SpikeWatchPeriod" = 900 (default value)
- GPO Setting Item: "UpdateInterval" = 100 (default value)
- GPO Setting Item: "AnnounceFlags" = 5 (default value = 10)
- GPO Setting Item: "EventLogFlags" = 2 (default value)
- GPO Setting Item: "LocalClockDispersion" = 10 (default value)
- GPO Setting Item: "MaxPollInterval" = 10 (default value)
- GPO Setting Item: "MinPollInterval" = 6 (default value)
- GPO Setting Item: "ChainEntryTimeout" = 16 (default value)
- GPO Setting Item: "ChainMaxEntries" = 128 (default value)
- GPO Setting Item: "ChainMaxHostEntries" = 4 (default value)
- GPO Setting Item: "ChainDisable" = 0 (default value)
- GPO Setting Item: "ChainLoggingRate" = 30 (default value)
- GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
-
-
REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.
-
GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers"
-
GPO Setting: "Configure Windows NTP Client" = Enabled
- GPO Setting Item: "NtpServer" = <NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag> (default value = time.windows.com,0x9)
- GPO Setting Item: "Type" = NTP (default value = NT5DS)
- GPO Setting Item: "CrossSiteSyncFlags" = 2 (default value)
- GPO Setting Item: "ResolvePeerBackoffMinutes" = 15 (default value)
- GPO Setting Item: "ResolvePeerBackoffMaxTimes" = 7 (default value)
- GPO Setting Item: "SpecialPollInterval" = 3600 (default value)
- GPO Setting Item: "EventLogFlags" = 1 (default value) (The GPO shows "0", but in reality the default value is "1"!)
- GPO Setting Item: "NtpServer" = <NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag> (default value = time.windows.com,0x9)
-
REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.
For more information about configuring the DC in the forest root AD domain with the PDC FSMO through a GPO and WMI Filter see the link ‘Configuring an Authoritative Time Server with Group Policy Using WMI Filtering‘.
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
(2010-09-26) Configuring And Managing The Windows Time Service (Part 3) « Jorge's Quest For Knowledge! said
[…] the previous post (part 2) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role by using GPOs […]
LikeLike
(2010-09-26) Configuring And Managing The Windows Time Service (Part 4) « Jorge's Quest For Knowledge! said
[…] and therefore do not time jumps that are too large. Also taking the first post (part 1) and the second post (part 2) into account, it is now interesting to know how you can see what the configuration is a certain DC […]
LikeLike
(2011-07-11) The Impact Of FSMO Roles Not Being Available « Jorge's Quest For Knowledge! said
[…] For this also see "Configuring And Managing The Windows Time Service (Part 1)", "Configuring And Managing The Windows Time Service (Part 2)", "Configuring And Managing The Windows Time Service (Part 3)" and "Configuring […]
LikeLike
Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations « Jorge's Quest For Knowledge! said
[…] (2010-09-26) Configuring And Managing The Windows Time Service (Part 2) […]
LikeLike
(2011-10-23) Best Practices For The Default Domain Policy And The Default Domain Controllers Policy GPOs « Jorge's Quest For Knowledge! said
[…] about that in “(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)” and […]
LikeLike
Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN) « Jorge's Quest For Knowledge! said
[…] (2010-09-26) Configuring And Managing The Windows Time Service (Part 2) […]
LikeLike
Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy said
[…] Industry Blog: Configuring And Managing The Windows Time Service (Part 2) […]
LikeLike