**Note from the Author: Although this may be helpful for older OS versions, the process below is no longer the correct method.
There are many reasons that a network administrator may want to synchronize the clocks on all Windows computers across the Active Directory domain. The following steps will demonstrate how to easily accomplish that goal using group policy. In this example, all client workstations will obtain the time and date from a domain controller using the NTP protocol.
This “howto” assumes that the domain is in good health and has a functional group policy infrastructure.
Setting Up the Server Policy
- On a domain controller, open up the Group Policy Management MMC.
- Locate the OU (Organization Unit) that contains the server that will be the time source, right-click it and select “Create and Link a GPO Here…”. (typically this would be the Domain Controllers OU)
- Give the new GPO a descriptive name such as “NTP Server” or “Time Sync – DCs”
- Right-click the newly-created GPO and click “Edit”. This will open the Group Policy Object Editor.
- In the “Computer Configuration” section of the editor, expand “Administrative Templates” –>”System” –> “Windows Time Service” then click “Time Providers”.
- Set the “Enable Windows NTP Server” policy setting to “Enabled”
- Optional: At this time, a sync source for the server can also be configured using the “Enable Windows NTP Client” and “Configure Windows NTP Client” policy settings. By default, Windows computers will sync to Microsoft’s time.windows.com NTP server. If this is adequate for your particular setup, these settings can be left alone.
- Open up a command prompt and run the following commands to apply the policy:
gpupdate /force
net stop w32time
net start w32time
Setting Up the Client Policy
- If it is not still open, open up the Group Policy Management MMC on a domain controller.
- Locate the OU that contains all of the client computers on the network that should be synchronized with the server’s clock, right-click the OU and select “Create and Link a GPO here…”.
- Give the new GPO a descriptive name such as “NTP Client” or “Time Sync-Workstations”.
- Right-click the new GPO and click “Edit…”
- In the “Computer Configuration” section of the editor, expand “Administrative Templates” –>”System” –> “Windows Time Service” then click “Time Providers”.
- Set the “Enable Windows NTP Client” policy setting to “Enabled”.
- Double-click the “Configure Windows NTP Client” policy Setting.
- Set the radio box next to “Enabled” to activate the configuration section below.
- Set the “NtpServer” parameter to the IP Address or fully qualified DNS address of the server we applied the policy to in the section above.
- Set the “Type” parameter to “NTP”.
- Unless the Windows Time Server was customized beyond the scope of this how-to, the rest of the settings can be left at their default values.
Testing and Verification
- On a client computer that is contained within the OU specified in step 2 above, open a command prompt and run the following commands:
gpupdate /force
w32tm /resync - The output of the w32tm /resync command should be “The command completed successfully.” If an error is shown, check the application and system logs for group policy/SceCli errors and/or W32Time.
-n
No comment yet
6 pings
Saj says:
April 2, 2013 at 3:42 am (UTC -5)
Great one..Worked for me big time..Thx
Derek says:
August 1, 2013 at 11:09 pm (UTC -5)
Thanks for your clear instructions. I have been unable to get this working though.
Have been trying to set this up on a 2008 R2 DC.
Followed your instructions carefully but here’s what I’m getting when testing:
C:\Users\administrator.BBDOHK>gpupdate /force
Updating Policy…
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\administrator.BBDOHK>
C:\Users\administrator.BBDOHK>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.
I reckon the issue is with the “Configure Windows NTP Client” settings and here’s what I have set:
NtpServer = time.windows.com,0x09
Type = NT5DS *used on computers joined to a domain so this seems correct; tried NTP with same result
Rest of settings I have kept the defaults:
2
15
7
3600
0
Would greatly appreciate if you had any suggestions.
Thanks!
Derek says:
August 1, 2013 at 11:14 pm (UTC -5)
To add, in the System log, I see this Time-Service error with Event ID 12:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Any idea how I can resolve this issue?
Thanks!
Alex Tovey says:
February 11, 2014 at 4:58 am (UTC -5)
I believe you are syncing the server to itself. I’ve created two gpo. one for the server and one for the client then changed the permissions. server is just the dc’s allowed for this gpo and the clients are “domain computers”
This worked for me on resolving your issue
Scott Palmer says:
June 2, 2015 at 1:46 pm (UTC -5)
Great write up, worked for me, but I have a couple of questions.
Doesn’t the second set of instructions where you point to the policy to the main DC create a single point of failure for time synchronization? Is there a way to add a list of NTP servers the client machines can query?
Thanks!
Windows NTP Time Sync Group Policy says:
March 14, 2012 at 11:30 pm (UTC -5)
[…] […]