Time Synchronizing Domain Controllers with NTP – HowTo

…to synchronize your DC(s) with a correct timesource and make the DCs authorative to the clients you have to follow these steps:

If you have more than one domain-controller only the PDC-Emulator should sync his time with NTP – all other DCs should sync with NT5DS against PDC-emulator – we can easily filter the PDCe with a WMI query.

Create two WMI filters in Group Policy Console:

DC with PDC emulator -> “Select * from Win32_ComputerSystem where DomainRole = 5”

all other DCs -> “Select * from Win32_ComputerSystem where DomainRole = 4”

Create two Policies (Sync with NTP for DC with PDCe and Sync with NT5DS for non PDCe DCs)

Create a Policy for non PDC-emulator Domain-controllers:

…ignore the default ntpserver entry, because not used if type is NT5DS (domain hierarchy)…

…not necessary to create a policy for workstations/desktops and non-DomainController servers (domain-joined) because they will sync automatically with DC…

Link to Domain Controller OU:

If you running your domain controllers in virtual environments like HV/Azure… – you must disable time-sync againts host on all VMs within the domain (otherwise you play ping-pong – policy set the time, host set it back, policy set time, host set it back,…..).

Change registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider]

“Enabled”=dword:00000000

Policy Update:

gpupdate /target:computer /force

check registry settings:

HKLM\SYSTEM\SOFTWARE\Policies\Microsoft\W32Time\Parameters\….

force sync:

net stop w32time && net start w32time

w32tm /resync /force

check eventlog Application/time-source:

Create policy to put users/groups in local admin group…

Prerequisites:

i want to put ie my service account named _svc_vmmservice to the local admin group in my vmm nodes. following the microsoft AGLP (accounts->global groups->local groups->permissions) first i create a global group named “_gg_localAdminVMM” and a local group named “_lg_localAdminVMM” – put _svc_vmmservice in global group and put global group in local group:

…in addition you need a Group for VMM servers/nodes (not users) – do the same for VMM servers:

Create Policy:

 

…remove “Authenticated users” and change scope of this policy to VMM servers group:

…dont forget to link this GPO to your ServerOU..

time to apply this new policy with:

…you can check it with the command:

…before gpupdate:

and after gpupdate:

 

 

HINT: if you dont see your policy applied and you have created the computer group for your VMM servers a short time before – you have to reboot your VMM servers to apply the membership of the group first!

Create a policy to add local admin account – the new way…

Since Microsoft changed the security policies the “old way” via policy to create a local admin account and give them a password does not work anymore – information about this security update can be found at: https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

if you have installed this security patch and want to create a new policy “old-way” with a new user and password – you can not type-in any passwords because the fields are greyed-out:

The new way to do this is with Microsoft´s Local Admin Password Solution (LAPS) – see: https://www.microsoft.com/en-us/download/details.aspx?id=46899

HowTo Install:

you need a Management computer for installing the management tools, powershell module,… – in addition it is useful to have also all the AD management tools (users and computers, group policy editor,..) installed on this management computer.

Download all (you will need x86 and x64 later) packages from: https://www.microsoft.com/en-us/download/details.aspx?id=46899 to the management computer and start LAPS.x64.msi – or x86 if you have a 32bit management computer (build client packages later):

..install all the features:

Policy for installing client package:

LAPS needs a dll on all the computers where laps should store and change the local admin pwd. The easiest way to do that is, create a policy for deploying this package – start group policy editor and create a new policy :

..choose the LAPS x64 package first, for deploying software to 64bit clients/servers:

…we need also the x86 package:

…i will rename the packages (looks better than (2)) – right click -> properties:

…we want to avoid that the x86 package are also distributed to x64 computers – right click on x86 package and choose properties:

…uncheck “Make this 32-bit…..”:

…i have several OUs in my AD – Resources->Computers where all Workstations and Servers reside – i will link this GPO to my Resources OU:

 

..unfortunately LAPS client need a reboot to complete the update – you see this after GPUPDATE /FORCE:

Extend the AD schema:

open powershell with admin rights on your management server and import the laps ps module:

…update schema:

Set/Check Permissions:

…the default permission to manage local passwords are less restrictive (Domain Users can read) – we want to change it – open ADSIEdit:

…because i have my own OU structure Resources->Computers,.. i have to right-click on ComputersOU and select Properties:

…be sure that under Security Tab are only Users that you give permissions are “All extended rights” checked – ie. Remove this checkmark from Everyone… (in Server 2016 permissions are correct (only Domain Admins, Enterprise Admins have rights), nothing to do in this OS…):

…now give all computers under your OU the permission to change their passwords for itself:

next give users the permission to read the passwords for computer in a OU (in my case ComputersOU) – you can make this very granular, ie use a AD group for workstations and another AD group for servers – Domain Admins are ok for my environment:

Create Local Password Policy:

Last step is to create a policy for changing local passwords, complexity and other – LAPS setup had installed a ADM template on your management workstation for that – so if you have also Group Policy Editor installed on this workstation open GPMC create a new policy and browse to CompConfig->Policies->Admin Templates->LAPS:

 

enable pwd management and change the other settings depending on your needs:

…if you have another policy that disables the local account named “Administrator” and create another user with the name ie “_adm_localAdmin” you must enable this policy setting and change the name to the name of your local admin account (if you have no policy like that and want to change the default local account named “Administrator” you can leave this as default – not configured:

 

dont forget to link your password policy to the appropriate OUs..

Read Passwords:

LAPS Setup installs a GUI Utility called “LAPS UI” on your management workstation:

or you find it in AD Users and Computers -> Computer Object -> Attributes (dont forget to check View->Advanced to show this tab):