Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)

Posted by Jorge on 2010-09-26


In the previous post (part 1) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role manually. The commands mentioned in that post must be executed on DC in the forest root AD domain hosting the PDC FSMO role. To prevent these manual actions, it is also possible to achieve the same result after a one-time configuration in AD through GPOs and a WMI filter. Perform the following tasks.

[Task 1] – Create a WMI filter to only target the DC with the PDC FSMO role.

image

In the GPMC create a WMI filter with the following configuration (without the single quotes):

  • WMI Filter Name: "RWDC With The PDC FSMO role" (can be something else of course)
  • WMI Filter Description: ‘This WMI filter targets the DC with the PDC FSMO Role’ (can be something else of course)
  • WMI Filter Namespace: ‘rootCIMv2’
  • WMI Filter Query: ‘Select * from Win32_ComputerSystem where DomainRole = 5’

[Task 2] – Create a GPO and link it to the Domain Controllers OU to target all DCs. Make sure it is applied after the GPO called "Default Domain Controllers Policy".

image

image

In the GPMC create a GPO with following configuration (without the single quotes):

  • GPO Name: "GPO_C_All-Domain-Controllers" (can be something else of course)
    • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
      • GPO Setting: "Global Configuration Settings" = Enabled
        • GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
        • GPO Setting Item: "HoldPeriod" = 5 (default value)
        • GPO Setting Item: "LargePhaseOffset" = 50000000 (default value)
        • GPO Setting Item: "MaxAllowedPhaseOffset" = 300 (default value)
        • GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "PhaseCorrectRate" = 7 (default value) (The GPO shows "1", but in reality the default value is "7"!)
        • GPO Setting Item: "PollAdjustFactor" = 5 (default value)
        • GPO Setting Item: "SpikeWatchPeriod" = 900 (default value)
        • GPO Setting Item: "UpdateInterval" = 100 (default value)
        • GPO Setting Item: "AnnounceFlags" = 10 (default value)
        • GPO Setting Item: "EventLogFlags" = 2 (default value)
        • GPO Setting Item: "LocalClockDispersion" = 10 (default value)
        • GPO Setting Item: "MaxPollInterval" = 10 (default value)
        • GPO Setting Item: "MinPollInterval" = 6 (default value)
        • GPO Setting Item: "ChainEntryTimeout" = 16 (default value)
        • GPO Setting Item: "ChainMaxEntries" = 128 (default value)
        • GPO Setting Item: "ChainMaxHostEntries" = 4 (default value)
        • GPO Setting Item: "ChainDisable" = 0 (default value)
        • GPO Setting Item: "ChainLoggingRate" = 30 (default value)

REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.

[Task 3] – Create a GPO and link it to the Domain Controllers OU to target only the DC with the PDC FSMO role. Make sure it is applied after the GPO called "GPO_C_All-Domain-Controllers".

image

image

In the GPMC create a GPO following configuration (without the single quotes):

  • GPO Name: "GPO_C_RWDC-With-PDC-FSMO-Role" (can be something else of course)
    • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
      • GPO Setting: "Global Configuration Settings" = Enabled
        • GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
        • GPO Setting Item: "HoldPeriod" = 5 (default value)
        • GPO Setting Item: "LargePhaseOffset" = 50000000 (default value)
        • GPO Setting Item: "MaxAllowedPhaseOffset" = 300 (default value)
        • GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "PhaseCorrectRate" = 7 (default value) (The GPO shows "1", but in reality the default value is "7"!)
        • GPO Setting Item: "PollAdjustFactor" = 5 (default value)
        • GPO Setting Item: "SpikeWatchPeriod" = 900 (default value)
        • GPO Setting Item: "UpdateInterval" = 100 (default value)
        • GPO Setting Item: "AnnounceFlags" = 5 (default value = 10)
        • GPO Setting Item: "EventLogFlags" = 2 (default value)
        • GPO Setting Item: "LocalClockDispersion" = 10 (default value)
        • GPO Setting Item: "MaxPollInterval" = 10 (default value)
        • GPO Setting Item: "MinPollInterval" = 6 (default value)
        • GPO Setting Item: "ChainEntryTimeout" = 16 (default value)
        • GPO Setting Item: "ChainMaxEntries" = 128 (default value)
        • GPO Setting Item: "ChainMaxHostEntries" = 4 (default value)
        • GPO Setting Item: "ChainDisable" = 0 (default value)
        • GPO Setting Item: "ChainLoggingRate" = 30 (default value)

REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.

  • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers"
    • GPO Setting: "Configure Windows NTP Client" = Enabled
      • GPO Setting Item: "NtpServer" = <NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag> (default value = time.windows.com,0x9)
      • GPO Setting Item: "Type" = NTP (default value = NT5DS)
      • GPO Setting Item: "CrossSiteSyncFlags" = 2 (default value)
      • GPO Setting Item: "ResolvePeerBackoffMinutes" = 15 (default value)
      • GPO Setting Item: "ResolvePeerBackoffMaxTimes" = 7 (default value)
      • GPO Setting Item: "SpecialPollInterval" = 3600 (default value)
      • GPO Setting Item: "EventLogFlags" = 1 (default value) (The GPO shows "0", but in reality the default value is "1"!)

REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.

For more information about configuring the DC in the forest root AD domain with the PDC FSMO through a GPO and WMI Filter see the link ‘Configuring an Authoritative Time Server with Group Policy Using WMI Filtering‘.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2010-09-26 at 20:40 and is filed under Active Directory Domain Services (ADDS), Blog Post Series, Core Networking Services, NTP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”

  1. (2010-09-26) Configuring And Managing The Windows Time Service (Part 3) « Jorge's Quest For Knowledge! said

    2011-08-04 at 14:45

    […] the previous post (part 2) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role by using GPOs […]

    Like

    Reply

  2. (2010-09-26) Configuring And Managing The Windows Time Service (Part 4) « Jorge's Quest For Knowledge! said

    2011-08-04 at 14:45

    […] and therefore do not time jumps that are too large. Also taking the first post (part 1) and the second post (part 2) into account, it is now interesting to know how you can see what the configuration is a certain DC […]

    Like

    Reply

  3. (2011-07-11) The Impact Of FSMO Roles Not Being Available « Jorge's Quest For Knowledge! said

    2011-08-07 at 22:27

    […] For this also see "Configuring And Managing The Windows Time Service (Part 1)", "Configuring And Managing The Windows Time Service (Part 2)", "Configuring And Managing The Windows Time Service (Part 3)" and "Configuring […]

    Like

    Reply

  4. Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations « Jorge's Quest For Knowledge! said

    2011-09-14 at 14:38

    […] (2010-09-26) Configuring And Managing The Windows Time Service (Part 2) […]

    Like

    Reply

  5. (2011-10-23) Best Practices For The Default Domain Policy And The Default Domain Controllers Policy GPOs « Jorge's Quest For Knowledge! said

    2011-10-23 at 23:04

    […] about that in “(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)” and […]

    Like

    Reply

  6. Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN) « Jorge's Quest For Knowledge! said

    2013-11-17 at 04:54

    […] (2010-09-26) Configuring And Managing The Windows Time Service (Part 2) […]

    Like

    Reply

  7. Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy said

    2014-01-09 at 18:49

    […] Industry Blog: Configuring And Managing The Windows Time Service (Part 2) […]

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»