DC as NTP GPO Question
Posted by scorc1@reddit | sysadmin | View on Reddit | 16 comments
If i have a DC as the main NTP server (the PDC, per GPO targeting). Would i NOT need to also enable the GPO "Enable Windows NTP Server"?
Everything i read/locate doesnt mention that particular GPO, but DOES mention the one right beside it: "Enable Windows NTP Client".
Client make sense so it can first get time, but wouldnt we then need to enable the NTP server on that server to serve time to other DCs/Domain Clients?
ElevenNotes@reddit
You don’t have to configure anything for AD joined devices to get the time from their closest DC which get their time from the PDC. I still recommend not to use your PDC as time source though. Setup a proper NTP infrastructure and then sync time for all devices from your on-prem NTP infra, this includes all AD devices, all switches, all routers, all printers and so on.
scorc1@reddit (OP)
Any suggestions for reading material on how to set that all up?
AforAnonymous@reddit
Word of caution:
The out of box defaults of the GPO ADMX templates are severely outdated, and they don't permit you to configure only a subset, they always set ALL the parameters. The out of box defaults inside the registry, ONLY starting with Server 2025 are pretty good, but they still neglected updating the ADMX templates to match. Even if you don't have Server 2025, setup up a trial server, examine the out of box parameters inside the registry, shove those into the GPO, THEN start fiddling with it.
Most historic MSFT guidance on this is wrong, and some even completely misrepresents how some parameters for (looking at you, SpecialPollInterval, one of the docs confabulates seconds with milliseconds, and only one of them gives you the formula that tells you what the values are permitted, don't have either at hand unfortunately)
Also, iirc, the NTP server service gets enabled/configured for automatic start during promotion to DC
NorthAntarcticSysadm@reddit
Using GPO to configure the PDC as the NTP source is not mandatory, though it does make it easier. The GPO will enable firewall rules and configure the windows time service with less effort.
Typically I will have 2 GPOs for NTP, this is assuming a simple network that is relatively flat.
First GPO is enabling NTP on DCs as both client and server, client is pointing to pool.ntp.org, and then server is offering NTP to the rest of the network. This GPO will have a WMI filter on it to target only domain controllers.
Second GPO is enabling NTP client on workstations pulling NTP from 2 of the DCs.
scorc1@reddit (OP)
yeah, that. Thats what i have.
On the first GPO, do you NOT enable the GPO titled: "Enable Windows NTP Server"??
located here: Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers
NorthAntarcticSysadm@reddit
That is one of the settings in that GPO. Apologies, I made the assumption that others would assume it was there.
ConfidentFuel885@reddit
You don’t need to target anything with GPO. Lookup the AD DS NTP Hierarchy. AD joined Windows clients will sync their time with the closest DC, DCs will sync their time with the PDC Emulator, and the PDC Emulator should be configured to sync its time with an external source.
scorc1@reddit (OP)
Yeah, im doing that. I just thought we would need to enable the NTP server on the PDC via GPO so the clients can all live on NT5DS for time.
If the server is configured to NOT serve, how is it serving clients?
Cold-Pineapple-8884@reddit
You don’t have to do that. Just make sure the PDC is set to point to an upstream time server. That’s literally all you need to do.
scorc1@reddit (OP)
thank you for the response, i appreciate it.
TaliesinWI@reddit
Because Windows clients don't need NTP to sync their time from a DC. The DC only needs to be an NTP server if you have _non Windows_ clients that need to sync time from it.
scorc1@reddit (OP)
this, thank you.
ItsAdammm@reddit
You don't have to configure every setting, but sometimes it's nice that they exist.
If for some reason you didn't want a domain controller to serve time, you could configure to disable to overwrite the locally controlled setting that the domain services role enabled. It may also be good practice to force it disabled for your endpoints to narrow the attack surface.
If you were silly and disabled it in your default domain policy, you could force it enabled for your default domain controller policy to add to your headache.
scorc1@reddit (OP)
Fair i guess. I did NOT go look at the registry to see if it was already set to enable.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpServer
*I already set the GPO to enable; so im not sure if what im seeing is legit default, or fault of the GPO, but its got a key that is 'Enabled' value =1.
ill spin upanother VM and double check what the normal GPOs do and NOT expressly enable the NTP server setting.
cpz_77@reddit
Honestly I’ve never even bothered with GPOs for NTP, just run the few commands on the PDC to set it to sync with an external time source and be authoritative for the domain, and then run the commands on your other DCs to tell them to sync from the domain hierarchy (and btw I don’t even know if this step is necessary on a new DC - in fact I don’t think it is - but I’ll run it on existing DCs when configuring an environment just to make sure everything is consistent) and you’re done. Everything else from there should “just work” for your windows clients (of course for non-Windows platforms that require time to be in sync with the domain you may need to enter NTP server info manually).
scorc1@reddit (OP)
You didnt ask, but:
If you dislike GPOs, but enjoy code: look into DSC.
and, thank you.