How do I use Group Policy to sync client time in an Active Directory domain with an external NTP server and not the domain controller?

interfect

8/3/24, 12:55 PM

I have an Active Directory domain, with a domain controller running on Samba on Linux.

I noticed that my Windows clients are having clock drift. I think this is because they really want the domain controller to offer a time synchronization service. But since I never set up a time server on the domain controller, that isn't happening.

Now, Samba doesn't seem to include a time server feature, and I would rather not add another service to the things I need to maintain. I am perfectly happy with everyone in the domain, including the DC, individually syncing up with time.windows.com. But if I go in the default domain policy or in gpedit.msc on an individual client and make the Configure Windows NTP Client and Enable Windows NTP Client objects, they don't seem to take effect, and my client's time source stays stuck at "Local CMOS Clock".

How can I configure Group Policy in an Active Directory domain to make clients get their time directly from an Internet NTP server, instead of from a domain controller?

I found this answer that gives a command line procedure that it claims lets you escape the domain time hierarchy for an individual host, but I am interested in doing it for all the clients in the domain (and also the DC, though that is Samba and unlikely to obey the policy).

0 + 5

windows

active-directory

ntp

samba

samba4

joeqwerty

8/3/24, 1:53 PM

https://theitbros.com/configure-ntp-time-sync-group-policy/

Greg Askew

8/3/24, 2:32 PM

All domain controllers advertise as a time server by default. It doesn't need to be configured. If you want to know why it is using the local clock, you should enable time service verbose logging.

interfect

8/6/24, 1:09 AM

@GregAskew Samba *advertises* as a time server, but doesn't actually *implement* an NTP daemon, so it does not actually synchronize time for clients out of the box.

interfect

8/6/24, 1:11 AM

@joeqwerty I attempted to follow the "Configure Client Time Sync Settings Using GPO" part of that page. It did not seem to work for me.

Greg Askew

8/6/24, 9:11 AM

@interfect: domain controllers don't advertise as NTP servers by default. It uses RPC. 99.9999% of Windows clients use RPC for time synchronization by default.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do I use Group Policy to sync client time in an Active Directory domain with an external NTP server and not the domain controller?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.