If you want to set the time server for your pdc and you always will be sure that your pdc is configured to your external time server follow these steps. There are some reasons why you want to make a group policy to manage the NTP settings for your PDC.
- If you decide to move the PDC emulator role to another domain controller, you do not want to have to go through the trouble of making all of the registry changes again.
- If the PDC emulator fails, and you have to bring up a new server, you may forget to add the settings back, resulting in a time sync issue in your domain.
Microsoft has a feature in Group Policy to help us that you may have read about on this blog, and that is WMI filtering.
Windows Management Instrumentation (WMI) is a powerful feature in Windows that we can leverage to provide us very detailed information about computers in our environment. We can use WMI via a script to remotely manage machines, as well as gather information about machines in our domain for inventory purposes.
The main reason why I have brought this feature up is that we can provide an additional layer of filtering for Group Policy application using WMI.
We can configure a GPO on the domain controller OU for our W32Time settings to configure the authoritative time server, but instead of using security filtering and explicitly securing it for the domain controller that has the PDC emulator role; WMI filtering can be used instead. It is important to state here before continuing is that WMI filtering will only work with computers running Windows XP/Windows Server 2003 and later. That means that you cannot use WMI filtering with Windows 2000.
Below is an example:
The domain I configure this policy on is Windows Server 2008, but the same applies to Windows Server 2003 as well. I am also using Group Policy Management Console (GPMC) which can be installed with the command line: ServerManagerCmd -install gpmc. For those of you who are using Windows Vista you can get GPMC by downloading the Microsoft Remote Server Administration Tools (RSAT).
First I will create my WMI filter:
Name: PDC Role Filter
Description: Queries for the Domain Controller that hold the PDCs FSMO Role
The next part is me adding my query:
In the above image I added the following query:
Select * from Win32_ComputerSystem where DomainRole = 5
You can use WMIC to verify the current value of the DomainRole property. This can be a helpful way to get a sanity check on the value to make sure the filtering will achieve the desired result.
To view the DomainRole value locally:
wmic computersystem get domainrole
To view the DomainRole value remotely (where M1 is the remote computer):
wmic /node:”M1” computersystem get domainrole
In WMI we break up the various components of the OS and actual machine into classes. The Win32_ComputerSystem class is for computers running a Windows OS. Have a look at the following MSDN link for this class as well as other WMI classes:
The Win32_ComputerSystem class has a lot of methods that can used in scripting as well as filtering for Group Policy but for the purposes of this post we will focus on the DomainRole:
From the MSDN website:
Role of a computer in an assigned domain workgroup. A domain workgroup is a collection of computers on the same network. For example, a DomainRole property may show that a computer is a member workstation. This property is inherited from CIM_ManagedSystemElement.
Backup Domain Controller
Primary Domain Controller
As you can see from the above chart 5 means Primary Domain Controller. So the query, Select * from Win32_ComputerSystem where DomainRole = 5, means select a machine whose DomainRole is 5, Primary Domain Controller. For those of you who would like to create a Windows Time GPO for all the other domain controllers you would just change it to DomainRole=4.
Now I am going to link my WMI filter to my already configured Authoritative Time Server Group policy:
At the end what I have just accomplished is that the Authoritative Time Server GPO will only apply to the domain controller who holds the PDC emulator FSMO role. By configuring the policy in this fashion, I can transfer the PDC role to any domain controller and the policy will follow the role. Also, if the PDC fails and I bring up a new domain controller and seize the PDC emulator role to the new domain controller, the policy will apply on the next policy refresh or by forcing a group policy refresh.
I hope that you have learned a little more on how powerful WMI Filters are and how they can be leveraged to apply Group Policies based on a WMI Filter.
And here you have the NTP Policy.
Windows Management Instrumentation
WMI filtering using GPMC
Windows Management Instrumentation Command-line