Configuring an Authoritative Time Server with Group Policy Using WMI Filtering
Hello everyone, Brian Singleton here. Here’s a question I often get from customer regarding Windows Time:
“Is there a way I can configure the Windows Time settings via Group Policy and have it only apply to the domain controller that holds the PDC FSMO role?”
This is a wonderful question to pose and there are very good reasons why this should be done:
- If you decide to move the PDC emulator role to another domain controller, you do not want to have to go through the trouble of making all of the registry changes again.
- If the PDC emulator fails, and you have to bring up a new server, you may forget to add the settings back, resulting in a time sync issue in your domain.
We have a feature in Group Policy to help us that you may have read about on this blog, and that is WMI filtering.
Windows Management Instrumentation (WMI) is a powerful feature in Windows that we can leverage to provide us very detailed information about computers in our environment. We can use WMI via a script to remotely manage machines, as well as gather information about machines in our domain for inventory purposes.
The main reason why I have brought this feature up is that we can provide an additional layer of filtering for Group Policy application using WMI.
We can configure a GPO on the domain controller OU for our W32Time settings to configure the authoritative time server, but instead of using security filtering and explicitly securing it for the domain controller that has the PDC emulator role; WMI filtering can be used instead. It is important to state here before continuing is that WMI filtering will only work with computers running Windows XP/Windows Server 2003 and later. That means that you cannot use WMI filtering with Windows 2000.
Below is an example:
The domain I configure this policy on is Windows Server 2003, but the same applies to Windows Server 2008 as well. I am also using Group Policy Management Console (GPMC) which can be downloaded from here. For those of you who are using Windows Vista you can get GPMC by downloading the Microsoft Remote Server Administration Tools (RSAT).
First I will create my WMI filter:
The next part is me adding my query:
In the above image I added the following query:
Select * from Win32_ComputerSystem where DomainRole = 5
You can use WMIC to verify the current value of the DomainRole property. This can be a helpful way to get a sanity check on the value to make sure the filtering will achieve the desired result.
To view the DomainRole value locally:
wmic computersystem get domainrole
To view the DomainRole value remotely (where M1 is the remote computer):
wmic /node:”M1” computersystem get domainrole
In WMI we break up the various components of the OS and actual machine into classes. The Win32_ComputerSystem class is for computers running a Windows OS. Have a look at the following MSDN link for this class as well as other WMI classes:
WMI Classes
https://msdn.microsoft.com/en-us/library/aa394554(VS.85).aspx
The Win32_ComputerSystem class has a lot of methods that can used in scripting as well as filtering for Group Policy but for the purposes of this post we will focus on the DomainRole:
From the MSDN website:
DomainRole
Role of a computer in an assigned domain workgroup. A domain workgroup is a collection of computers on the same network. For example, a DomainRole property may show that a computer is a member workstation. This property is inherited from CIM_ManagedSystemElement.
Value |
Meaning |
0 |
Standalone Workstation |
1 |
Member Workstation |
2 |
Standalone Server |
3 |
Member Server |
4 |
Backup Domain Controller |
5 |
Primary Domain Controller |
As you can see from the above chart 5 means Primary Domain Controller. So the query, Select * from Win32_ComputerSystem where DomainRole = 5, means select a machine whose DomainRole is 5, Primary Domain Controller. For those of you who would like to create a Windows Time GPO for all the other domain controllers you would just change it to DomainRole=4.
Now I am going to link my WMI filter to my already configured Authoritative Time Server GPO:
At the end what I have just accomplished is that the Authoritative Time Server GPO will only apply to the domain controller who holds the PDC emulator FSMO role. By configuring the policy in this fashion, I can transfer the PDC role to any domain controller and the policy will follow the role. Also, if the PDC fails and I bring up a new domain controller and seize the PDC emulator role to the new domain controller, the policy will apply on the next policy refresh or by forcing a group policy refresh.
I hope that you have learned a little more on how powerful WMI Filters are and how they can be leveraged to apply Group Policies based on a WMI Filter.
Additional Resources
Windows Management Instrumentation
https://msdn.microsoft.com/en-us/library/aa394582(VS.85).aspx
WMI Classes
https://msdn.microsoft.com/en-us/library/aa394554(VS.85).aspx
WMI filtering using GPMC
https://technet.microsoft.com/en-us/library/cc779036.aspx
Windows Management Instrumentation Command-line
https://technet.microsoft.com/en-us/library/cc784189.aspx
- Brian Singleton
Comments
Anonymous
November 13, 2008
PingBack from http://mstechnews.info/2008/11/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/Anonymous
November 14, 2008
Brian, great post here. I have recently posted about W32tm and this is something that can help out a lot of customers. In my opinion this is a must have group policy setting.Anonymous
November 14, 2008
I recently blogged about time and how critical it is in a domain environment. Just this morning I readAnonymous
November 17, 2008
203 Microsoft Team blogs searched, 94 blogs have new articles in the past 7 days. 223 new articles foundAnonymous
December 05, 2008
Brian Singleton has posted on article on configuring w32time via Group Policy using WMI on the AskDSAnonymous
January 12, 2009
I have a question about this: If this GPO applies the appropriate time settings (type=NTP, NtpServer=yourtimeserver) if/when the PDCe role is moved, what about the DC the role was moved from? Doesn't there need to be a GPO in place that will change the Windows Time Service settings back to those appropriate for a non-PDCe?Anonymous
April 30, 2009
I have a GPO which forces my clients and member servers to use my PDC emulator as I time source with the NTP method. I have then configured my PDC to look to an external time source. I have been told that I don't have to create and apply the GPO at all and that simply pointing the PDC to an external source will work. Is this so as the default behaviour did not seem to be working? If I don't need the GPO and simply remove it will the clients and member servers then fall back to the default MS method or is there somethng else I should do. Someone mentioned I may need to do a "w32tm /config /syncfromflags:domhier /update" all the non-DC machines.Anonymous
May 01, 2009
Hello CJH and Broonie27..... Let me first address the question posed by CJH: If you configured the settings for the PDC role according to the above article WITHOUT manually configuring the settings, then no you do not have to do anything when the PDC role moves to another DC. The old PDC will revert back to the NT5DS settings as normal. SEE BELOW FOR ADDITIONAL INFO TO ANSWER BROONIE27 Now your question Broonie: If you have configured a GPO to configure your client machines for NTP settings (pointing them to your PDC) and you have NOT manually configured your clients, then when the policy is removed the client machines will revert back to the normal domain hierarchy settings and you do not have to configure anything. Why would you not have to change anything? When you create a policy, the settings are configured in the following location (which does take precendece over the next location): HKLM/Software/Policies/Microsoft/Windows/W32time (the W32time key is created with the policy) When the policy is removed, then this key is also removed The other location that is the default is: HKLM/System/CurrentControlSet/Services/W32time Providing that you both have not changed the default settings in the location above (under the services key), simply removing the policy, or leaving the old PDC alone will be fine. The defaults will take place again in both scenarios. Hope this helps. Bob Drake Sr Technical Lead Directory Services MicrosoftAnonymous
May 10, 2010
great Brian , please correct me if iam wrong ,simply if i had 2008 DC and i need to make all PCs in all branches update the time from the DC just i need to configure NTP policy ? or i need additional configuration ?Anonymous
January 09, 2014
Pingback from Script to Create Group Policy Objects and WMI Filters to Manage the Time Server HierarchyAnonymous
January 09, 2014
Pingback from Script to Create Group Policy Objects and WMI Filters to Manage the Time Server HierarchyAnonymous
January 09, 2014
Pingback from Script to Create Group Policy Objects and WMI Filters to Manage the Time Server HierarchyAnonymous
August 02, 2015
Hi Craig
I have a scenario where I have a single domain controller server and the network is not connected to internet and it cannot be connected ever. The BPA gives error about time synchronization. What is the solution in this case.
Thanks