How to set the PDC NTP Time provider via GPO

I’m currently upgrading domain controllers from 2008R2 to 2012R2 in various countries in my workplace.  As I was project planning our UK and Germany upgrade I noticed that the PDC on our UK DC has it’s NTP time source set manually.  As part of my project I will be moving the PDC FSMO role from it’s existing DC to another and then move it once again at a later stage in the project!

Naturally I didn’t want to set the NTP time source manually each time so here’s how I did it via GPO so I don’t have to worry about it:

The first thing I did was to create a GPO filter that would target only my PDC:

1.
In the Group policy editor, select the WMI Filters node, right-click it and select New:

Where to set wmi filter

2.
Give the filter a meaningful name then click the Add button:

Click Add on filter

3.
Type the query to target the PDC emulator as shown in the screenshot below.  DomainRole = 5 targets only the PDC.  I found this information here where you can also find information on how to target other roles if need be.

The wmi filter

4.
When I clicked OK on my 2012R2 DC I received the following error:
Error message - ignore

On investigation I discovered that it can be safely ignored as it seems to be a bug.  There are a few posts out there saying to enclose the where clause in parenthesis or quotes but this never worked.  At any rate, ignoring the message worked for me.  I tried transferring the PDC role a couple of times and the GPO switched accordingly despite the message so all’s good.

5.
Click Save on your newly created filter:
Click save

6.
Now for the GPO.  Create a new GPO and navigate to the following:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

7.
Select ‘Configure Windows NTP Client’ and enter the name or IP address of your NTP server followed by ,0x1 (Incidentally, if you want to know more about the flags, check out this excellent post.)

If you wish to add more than one ntp server then note that they are space separated eg: (Note the space between the 0x1 and the 1)
0.pool.ntp.org,0x01 1.pool.ntp.org,0x01
Configure NTP Client

8.
Enable this too while you are there…
enable client

9.
And this one…
Enable NTP Server

9.
Now all you need to do is select the WMI filter you created earlier in your GPO, and link the GPO to your Domain Controllers OU:
Select your filter on the GPO

10.
When you flip the PDC FSMO role you will see the GPO applied to the new PDC when the DC’s refresh their GPO policy (every 5 minutes by default)
GPO Applied to PDC

That’s it – now when I move the PDC FSMO role throughout my UK\Germany project I have one less thing to worry about!

Be the first to comment

Leave a Reply