How to set the PDC NTP Time provider via GPO

I’m currently upgrading domain controllers from 2008R2 to 2012R2 in various countries in my workplace.  As I was project planning our UK and Germany upgrade I noticed that the PDC on our UK DC has it’s NTP time source set manually.  As part of my project I will be moving the PDC FSMO role from it’s existing DC to another and then move it once again at a later stage in the project!

Naturally I didn’t want to set the NTP time source manually each time so here’s how I did it via GPO so I don’t have to worry about it:

The first thing I did was to create a GPO filter that would target only my PDC:

In the Group policy editor, select the WMI Filters node, right-click it and select New:

Where to set wmi filter

Give the filter a meaningful name then click the Add button:

Click Add on filter

Type the query to target the PDC emulator as shown in the screenshot below.  DomainRole = 5 targets only the PDC.  I found this information here where you can also find information on how to target other roles if need be.

The wmi filter

When I clicked OK on my 2012R2 DC I received the following error:
Error message - ignore

On investigation I discovered that it can be safely ignored as it seems to be a bug.  There are a few posts out there saying to enclose the where clause in parenthesis or quotes but this never worked.  At any rate, ignoring the message worked for me.  I tried transferring the PDC role a couple of times and the GPO switched accordingly despite the message so all’s good.

Click Save on your newly created filter:
Click save

Now for the GPO.  Create a new GPO and navigate to the following:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

Select ‘Configure Windows NTP Client’ and enter the name or IP address of your NTP server followed by ,0x1 (Incidentally, if you want to know more about the flags, check out this excellent post.)

If you wish to add more than one ntp server then note that they are space separated eg: (Note the space between the 0x1 and the 1),0x01,0x01
Configure NTP Client

Enable this too while you are there…
enable client

And this one…
Enable NTP Server

Now all you need to do is select the WMI filter you created earlier in your GPO, and link the GPO to your Domain Controllers OU:
Select your filter on the GPO

When you flip the PDC FSMO role you will see the GPO applied to the new PDC when the DC’s refresh their GPO policy (every 5 minutes by default)
GPO Applied to PDC

That’s it – now when I move the PDC FSMO role throughout my UK\Germany project I have one less thing to worry about!

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.