…to synchronize your DC(s) with a correct timesource and make the DCs authorative to the clients you have to follow these steps:
If you have more than one domain-controller only the PDC-Emulator should sync his time with NTP – all other DCs should sync with NT5DS against PDC-emulator – we can easily filter the PDCe with a WMI query.
Create two WMI filters in Group Policy Console:
DC with PDC emulator -> “Select * from Win32_ComputerSystem where DomainRole = 5”
all other DCs -> “Select * from Win32_ComputerSystem where DomainRole = 4”
Create two Policies (Sync with NTP for DC with PDCe and Sync with NT5DS for non PDCe DCs)
Create a Policy for non PDC-emulator Domain-controllers:
…ignore the default ntpserver entry, because not used if type is NT5DS (domain hierarchy)…
…not necessary to create a policy for workstations/desktops and non-DomainController servers (domain-joined) because they will sync automatically with DC…
Link to Domain Controller OU:
If you running your domain controllers in virtual environments like HV/Azure… – you must disable time-sync againts host on all VMs within the domain (otherwise you play ping-pong – policy set the time, host set it back, policy set time, host set it back,…..).
Change registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider]
“Enabled”=dword:00000000
Policy Update:
gpupdate /target:computer /force
check registry settings:
HKLM\SYSTEM\SOFTWARE\Policies\Microsoft\W32Time\Parameters\….
force sync:
net stop w32time && net start w32time
w32tm /resync /force