Time Synchronizing Domain Controllers with NTP – HowTo

…to synchronize your DC(s) with a correct timesource and make the DCs authorative to the clients you have to follow these steps:

If you have more than one domain-controller only the PDC-Emulator should sync his time with NTP – all other DCs should sync with NT5DS against PDC-emulator – we can easily filter the PDCe with a WMI query.

Create two WMI filters in Group Policy Console:

DC with PDC emulator -> “Select * from Win32_ComputerSystem where DomainRole = 5”

all other DCs -> “Select * from Win32_ComputerSystem where DomainRole = 4”

Create two Policies (Sync with NTP for DC with PDCe and Sync with NT5DS for non PDCe DCs)

Create a Policy for non PDC-emulator Domain-controllers:

…ignore the default ntpserver entry, because not used if type is NT5DS (domain hierarchy)…

…not necessary to create a policy for workstations/desktops and non-DomainController servers (domain-joined) because they will sync automatically with DC…

Link to Domain Controller OU:

If you running your domain controllers in virtual environments like HV/Azure… – you must disable time-sync againts host on all VMs within the domain (otherwise you play ping-pong – policy set the time, host set it back, policy set time, host set it back,…..).

Change registry:

Windows Registry Editor Version 5.00



Policy Update:

gpupdate /target:computer /force

check registry settings:


force sync:

net stop w32time && net start w32time

w32tm /resync /force

check eventlog Application/time-source:

Create policy to put users/groups in local admin group…


i want to put ie my service account named _svc_vmmservice to the local admin group in my vmm nodes. following the microsoft AGLP (accounts->global groups->local groups->permissions) first i create a global group named “_gg_localAdminVMM” and a local group named “_lg_localAdminVMM” – put _svc_vmmservice in global group and put global group in local group:

…in addition you need a Group for VMM servers/nodes (not users) – do the same for VMM servers:

Create Policy:


…remove “Authenticated users” and change scope of this policy to VMM servers group:

…dont forget to link this GPO to your ServerOU..

time to apply this new policy with:

…you can check it with the command:

…before gpupdate:

and after gpupdate:



HINT: if you dont see your policy applied and you have created the computer group for your VMM servers a short time before – you have to reboot your VMM servers to apply the membership of the group first!