Hey everyone! I'm a new sysadmin at a charity center, and I'm dealing with some time drift issues on all domain-joined PCs—about 2-3 minutes off. The previous sysadmin unfortunately passed away and left no documentation, so I'm trying to figure things out from scratch. I found that our time syncing is tied to two Group Policy Objects (GPOs): one is 'Time Provider' and the other is 'Time Client'. The 'Time Provider' has settings to sync time from internet servers and is attached to a WMI filter for the PDC emulator, while the 'Time Client' points to our PDC's IP but doesn't have the Windows NTP Client configured. I've already turned off time synchronization in Hyper-V, yet the problem persists. Running diagnostics shows the 'Time Client' GPO is being applied. Any advice on resolving this issue would be greatly appreciated!
5 Answers
You're on the right track looking at the GPO settings; something seems off there. Check the scope of each GPO. The 'Time Client' GPO should actually have Windows NTP Client settings enabled. Here's a good resource for verifying NTP settings: https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings. Following the GPO walkthrough might shed some light on it too.
A few questions to narrow this down:
1. Does your DC have the correct time?
2. What NTP server is configured on the DC?
3. What NTP server are the workstations using?
You shouldn't need to configure an NTP server for domain-joined machines—they usually sync with the DC automatically.
To answer your questions:
1. The DC is also experiencing time drift.
2. The NTP server listed on the DC shows as 'Local.'
3. The workstations also report 'Local' as their NTP server.
I’m really just trying to understand the rationale behind these GPOs.
You might want to remove the 'Time Clients' GPO entirely. Domain members should automatically sync time with their local domain controller, which in turn gets its time from the PDC. For the 'Time Provider' GPO, consider adjusting the NTP server to 'time.windows.com' without any spaces next to the comma. That could help improve your sync times.
Thanks for the tip! I'll make sure to note that for troubleshooting.
You might want to reconsider having a VM serve as a time source. High load could lead to inaccuracies. Hyper-V can complicate time syncing, especially if there's a snapshot or heavy resource usage. Using a reliable NTP source might stabilize your time sync situation better. It reduces the variance in time which seems to be causing issues for your clients.
I see your point about hypervisors. It does get tricky. I’m still trying to understand the reasoning behind the GPOs the previous sysadmin set up.
Just a heads up, your PCs shouldn't be reaching out to external NTP servers. Make sure your PDC emulator is getting its time from a reliable NTP server. Domain controllers sync their time from the PDC, and all client PCs should sync from the nearest DC. Check out this guide for further configuration details: https://theitbros.com/configure-ntp-time-sync-group-policy/
I believe the client PCs are pulling their time from the 'Time Client' GPO. When I checked, it shows that it's the active GPO.
Thanks for the resources! Each GPO is linked to different organizational units. The 'Time Client' is in the domain level OU, and 'Time Provider' is under the 'Domain Controllers' OU.