I’m currently upgrading domain controllers from 2008R2 to 2012R2 in various countries in my workplace. As I was project planning our UK and Germany upgrade I noticed that the PDC on our UK DC has it’s NTP time source set manually. As part of my project I will be moving the PDC FSMO role from it’s existing DC to another and then move it once again at a later stage in the project!
Naturally I didn’t want to set the NTP time source manually each time so here’s how I did it via GPO so I don’t have to worry about it:
The first thing I did was to create a GPO filter that would target only my PDC:
In the Group policy editor, select the WMI Filters node, right-click it and select New:
Give the filter a meaningful name then click the Add button:
Type the query to target the PDC emulator as shown in the screenshot below. DomainRole = 5 targets only the PDC. I found this information here where you can also find information on how to target other roles if need be.
On investigation I discovered that it can be safely ignored as it seems to be a bug. There are a few posts out there saying to enclose the where clause in parenthesis or quotes but this never worked. At any rate, ignoring the message worked for me. I tried transferring the PDC role a couple of times and the GPO switched accordingly despite the message so all’s good.
Now for the GPO. Create a new GPO and navigate to the following:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers
Select ‘Configure Windows NTP Client’ and enter the name or IP address of your NTP server followed by ,0x1 (Incidentally, if you want to know more about the flags, check out this excellent post.)
That’s it – now when I move the PDC FSMO role throughout my UK\Germany project I have one less thing to worry about!