This will be a very valuable advantage to me. I have to travel around and perform assessments on our subordinate units to ensure that they have their PDCe NTP settings correct. Until now, I have had to provide written documentation and over the shoulder direction, which usually results in someone fat fingering something while creating the GPO or WMI filter. Now I can just give them the script and have them run it. Also, using Jeremy’s modification, I don’t have to copy the WMI module over, because the required piece is in the script.

Thank you very much for this script. Also, lots of thanks to Jeremy for his modifications. This script will allow me to automate a process that I have had to do manually for a couple of years now. I also modified the script in the following way:

If you are applying this script to a DC that is running on a virtual machine, you will want to change the SpecialPollInterval from the default to at most “900” (15 minutes) to minimize time skew. I added the following:

Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key ‘HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient’ `
-Type DWord -ValueName ‘SpecialPollInterval’ -Value 900 | out-null

Also, if you are using a link that is unreliable, you may want the DC to use the gateway router as a secondary NTP server while the link is down. To do this, I added the following:

# Set this to the NTP Servers the PDCe will sync with
$TimeServers = “0.us.pool.ntp.org,0x9 1.us.pool.ntp.org,0xa 2.us.pool.ntp.org,0xa 3.us.pool.ntp.org,0xa”

$KnownGW = Read-Host ” Do you know the IP address of the Gateway Router? Y/N”

If($KnownGW -eq “Y”)
{
$GWIP = Read-Host ‘Please enter the Gateway IP Address’
$GW = $GWIP + “,0xa”
$TimeServers = $TimeServers + $GW

}
Else
{
Write-host “`n The PDCe will be configured with the US Pool NTP servers only`n`n”
}

Thought you might be interested in this.

Thanks again
-karl

I do not mind at all.

Webster

I hope you don’t mind but I’ve enhanced your script to create both WMI Filters and GPOs and reposted it here: http://www.jhouseconsulting.com/2014/01/10/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153

Cheers,
Jeremy

Yes, I planned to write another article on that but the physical server that hosted my DC had processor issues and had to be rebuilt. I lost the VMs on it and never got to write the 2nd article. I will get that written, I hope, real soon.

Thanks

Webster

Great post Carl. I have been reading up on setting the authoritative NTP server manually vs. with a GPO for a new Windows Server 2012 domain. I did have one question. In a similar blog post by Jorge http://jorgequestforknowledge.wordpress.com/2010/09/26/configuring-and-managing-the-windows-time-service-part-2/ he uses two separate GPOs. One for all domain controllers, and the second for the one with the FSMO roles. If you only create one GPO as done above, do you risk having more than one authoritative time source? I was looking at the scenario of where you may transfer the FSMO roles to a new server, but the old server is still around. Will the registry settings remain on the old PDCe server even after it is no longer considered the domain master?

Thanks,
Andrew

None actually except now you have the process automated and documented.

You could also use a reg file, or have someone manually set the registry entries, or a vbscript, or….
Plus by using the WMI Filter, if you move the PDCe role to another server, at the next group policy refresh cycle (or running gpupdate /force or rebooting the new PDCe) the new PDCe instantly becomes the authoritative time server. Also, what happens if the PDCe is demoted and you were not aware that role was on the server? Using this the DC that receives the PDCe role will automatically become the new authoritative time server and you didn’t have to think about it.

The only reason I wrote this script (and went through the learning process) is because someone asked how to create the GPO using PoSH. I like learning and challenges that require me to learn.

Thanks

Webster

Thanks,
Prince