I need some help deciding on time configuration in a domain setting. Time is not working and seems to be running about 2 minutes slow and creeping. After reading a bunch I now feel confused as some settings seem to be set via registry and w32time while others seem to be set via GPO. I need to know what settings for the Default Domain controller policy and what settings for the Default Domain policy. If you can help please be specific, real examples with syntax would be appreciated and not links to more pages of conflicting info. The original time was set on a single 2003 DC that was the PDC and filled all fsmo roles 8 years ago. Time server sync source was set in the registry. When users logged in the script set the time based on the DC. That DC has been retired and replaced. The replacement 2008 server is currently filling the PDC and all fsmo roles. The login script no longer sets time based on the DC. There is also a second DC not currently holding any fsmo roles. I have attempted to set time via GPO's and have all time set to the DC internal time server that sync’s with the external time servers or so I thought it was. I’d rather not set anything manually in the registry and want to set time on the DC to sync from 2 external time servers via GPO. The Default Domain Controller Policy Global configuration settings are enabled. Time Providers??? Configure Windows NTP Client was enabled and is now disabled Enable Windows NTP Client was enabled to time.windows.com,0x1 and is now disabled Enable Windows NTP Server is enabled The Default Domain policy Global configuration settings are not configured. Time Providers??? Configure Windows NTP Client is not configured. Enable Windows NTP Client is enabled set to the DC XXXXXXXX.XXX.local Enable Windows NTP Server is enabled This shouldn’t be a big deal but now I feel like I am going in circles Thanks

Generally speaking, we don’t need configure Windows Time service for Domain clients. To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy: All client desktop computers nominate the authenticating domain controller as their in-bound time partner. All member servers follow the same process that client desktop computers follow. All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner. All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. For your reference: How to configure an authoritative time server in Windows Server http://support.microsoft.com/kb/816042/ If you would like to enforce time settings, please refer to Jorge’s suggestions in thread below: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/89e675c4-5960-4c64-a408-a4a3cf6556e4 Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Should time be set via GPO or registry? If GPO does anything need to manually changed in the Registry? If GPO, set Default Domain Controller Policy for the operations masters to follow the hierarchy of domains in the selection of their in-bound time partners? And then set the Default Domain policy for all client desktop computers and member servers? It is my understanding that using Default Domain Controller Policy for our 2 DC's an election if forced based on fsmo roles which should elect our 2008 server as the reference server and leave the 2nd DC as a subordinate.

What is confusing is this. Specifies whether the Windows NTP Client synchronizes time from the domain hierarchy or a manually configured NTP server. Doesn't the PDC emulator become an NTP client of the external time source? Aren't all other client desktop computers and member servers also NTP clients? What is the client? This is unclear since everything is a client.

PDC is a client of the external time source at the same time, it’s a time server for its Domain. I think it’s not conflicting, Windows has different services for these tasks. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.