Creating a Group Policy using Microsoft PowerShell to Configure the Authoritative Time Server

In my 10 Things in AD… presentations, I talk about the importance of having the domain controller that holds the Primary Domain Controller Emulator (PDCe) role configured as the authoritative time source for the forest.  In the PDF that accompanies the presentations, I include a link to a Microsoft Ask the Directory Service Team blog article.  The main problem with that article is there is not enough detail for a lot of people.  Now that Server 2008 and later include PowerShell cmdlets for Group Policy, I thought I would add some detail on creating the Group Policy with PowerShell.

There is no way using the in-the-box Group Policy PowerShell cmdlets to create WMI Filters.  For that, there is a Group Policy WMI filter cmdlet module available.  I downloaded the module and placed it in my scripts folder, c:\webster.  There was an issue for me and I had to change one line in the module.

I had to change line 70 from:

$msWMIAuthor = (Get-ADUser $env:USERNAME).UserPrincipalName

To:

$msWMIAuthor = (Get-ADUser $env:USERNAME).Name

Without that change, I received an error on line 97 with a Null value in the $Attr array defined in line 80.  I traced the Null value to the msWMI-Author value in the array.

The script to create the Group Policy:

Set-StrictMode -Version 2

#Carl Webster, CTP and independent consultant
[email protected]
[email protected] on Twitter
#http://www.CarlWebster.com
#With help from Michael B. Smith - http://www.theessentialexchange.com

# load required modules
Import-Module ActiveDirectory
Import-Module GroupPolicy
#the following module is available for download from
#http://gallery.technet.microsoft.com/scriptcenter/Group-Policy-WMI-filter-38a188f3
#assuming the module is in the same folder as the script
Import-Module ( Join-Path ( Split-Path $MyInvocation.MyCommand.Path -Parent) GPWmiFilter.psm1 )

#define variables specific to an AD environment
$GPOName       = 'Set PDCe as Authoritative Time Server'
$defaultNC     = ( [ADSI]"LDAP://RootDSE" ).defaultNamingContext.Value
$TargetOU      = 'OU=Domain Controllers,' + $defaultNC
$TimeServer    = 'north-america.pool.ntp.org,0x1'
$WMIFilterName = 'PDCe Role Filter'

#the GPWmiFilter module said to put this in the main code
new-itemproperty "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters" `
-name "Allow System Only Change" -value 1 -propertyType dword -EA 0

#create WMI Filter
$filter = New-GPWmiFilter -Name $WMIFilterName `
-Expression 'Select * from Win32_ComputerSystem where DomainRole = 5' `
-Description 'Queries for the Domain Controller that holds the PDCe FSMO Role' `
-PassThru

#create new GPO shell
$GPO = New-GPO -Name $GPOName

#add WMI filter
$GPO.WmiFilter = $Filter

#set the three registry keys in the Preferences section of the new GPO
Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key 'HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config' `
-Type DWord  -ValueName 'AnnounceFlags' -Value 5 | out-null

Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key 'HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' `
-Type String -ValueName 'NtpServer' -Value $TimeServer | out-null

Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key 'HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' `
-Type String -ValueName 'Type' -Value 'NTP' | out-null

#link the new GPO to the Domain Controllers OU
New-GPLink -Name $GPOName `
-Target $TargetOU | out-null

My Group Policy Management console (GPMC) before running the script is shown in Figure 1 showing no WMI Filters exist.

Figure 1

Figure 1

The script is processed and then I ran the Get-GPO cmdlet to verify the GPO was created (Figure 2).

Figure 2

Figure 2

After a refresh, a look back in the GPMC (Figure 3) showing the new WMI Filter and GPO.

Figure 3

Figure 3

Selecting the new WMI Filter in the GPMC shows all the settings are correct: Filter Name, Description and Query as shown in Figure 4.

Figure 4

Figure 4

Another look in the GPMC at the Domain Controllers OU shows the new GPO is linked properly as shown in Figure 5,

Figure 5

Figure 5

And Figure 6 shows all the registry keys are set properly.

Figure 6

Figure 6

The current registry keys are shown in Figure 7 and 8.

Figure 7

Figure 7

Figure 8

Figure 8

After a GPUPDATE /FORCE, the registry keys are shown in Figures 9 and 10.

Figure 9

Figure 9

Figure 10

Figure 10

What happens on a domain controller that is not the PDCe?  That is shown in Figure 11.  As you can see, the new GPO was denied because of the WMI Filter.

Figure 11

Figure 11

There you go.  Now you can automate creating the Group Policy to set the Forest Root Domain’s PDCe as the authoritative time server for your AD Forest.

I have placed an unsigned copy of this script at

https://dl.dropboxusercontent.com/u/43555945/CreateAuthoritativeTimeServerGPO.ps1

I have also placed a copy of the script with a TXT extension at

https://dl.dropboxusercontent.com/u/43555945/CreateAuthoritativeTimeServerGPO.txt

I have placed a digitally signed copy of this script at

https://dl.dropboxusercontent.com/u/43555945/CreateAuthoritativeTimeServerGPO_Signed.ps1

I have also placed a copy of the digitally signed script with a TXT extension at

https://dl.dropboxusercontent.com/u/43555945/CreateAuthoritativeTimeServerGPO_Signed.txt

Thanks

Webster

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

8 Responses to “Creating a Group Policy using Microsoft PowerShell to Configure the Authoritative Time Server”

  1. Karl Schantz Says:

    Hi Carl,

    Thank you very much for this script. Also, lots of thanks to Jeremy for his modifications. This script will allow me to automate a process that I have had to do manually for a couple of years now. I also modified the script in the following way:

    If you are applying this script to a DC that is running on a virtual machine, you will want to change the SpecialPollInterval from the default to at most “900” (15 minutes) to minimize time skew. I added the following:

    Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
    -Key ‘HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient’ `
    -Type DWord -ValueName ‘SpecialPollInterval’ -Value 900 | out-null

    Also, if you are using a link that is unreliable, you may want the DC to use the gateway router as a secondary NTP server while the link is down. To do this, I added the following:

    # Set this to the NTP Servers the PDCe will sync with
    $TimeServers = “0.us.pool.ntp.org,0x9 1.us.pool.ntp.org,0xa 2.us.pool.ntp.org,0xa 3.us.pool.ntp.org,0xa”

    $KnownGW = Read-Host ” Do you know the IP address of the Gateway Router? Y/N”

    If($KnownGW -eq “Y”)
    {
    $GWIP = Read-Host ‘Please enter the Gateway IP Address’
    $GW = $GWIP + “,0xa”
    $TimeServers = $TimeServers + $GW

    }
    Else
    {
    Write-host “`n The PDCe will be configured with the US Pool NTP servers only`n`n”
    }

    Thought you might be interested in this.

    Thanks again
    -karl

    Reply

  2. Jeremy Saunders Says:

    Hi Carl,

    I hope you don’t mind but I’ve enhanced your script to create both WMI Filters and GPOs and reposted it here: http://www.jhouseconsulting.com/2014/01/10/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153

    Cheers,
    Jeremy

    Reply

  3. Andrew Says:

    Carl,

    Great post Carl. I have been reading up on setting the authoritative NTP server manually vs. with a GPO for a new Windows Server 2012 domain. I did have one question. In a similar blog post by Jorge http://jorgequestforknowledge.wordpress.com/2010/09/26/configuring-and-managing-the-windows-time-service-part-2/ he uses two separate GPOs. One for all domain controllers, and the second for the one with the FSMO roles. If you only create one GPO as done above, do you risk having more than one authoritative time source? I was looking at the scenario of where you may transfer the FSMO roles to a new server, but the old server is still around. Will the registry settings remain on the old PDCe server even after it is no longer considered the domain master?

    Thanks,
    Andrew

    Reply

    • Carl Webster Says:

      Yes, I planned to write another article on that but the physical server that hosted my DC had processor issues and had to be rebuilt. I lost the VMs on it and never got to write the 2nd article. I will get that written, I hope, real soon.

      Thanks

      Webster

      Reply

  4. Prince Says:

    Masterful, Carl. Question though. What difference would it make if this was created Manually on the PDC? Besides the WMI filtering, is or are there any specific advantage to scripting the process?

    Thanks,
    Prince

    Reply

    • Carl Webster Says:

      None actually except now you have the process automated and documented.

      You could also use a reg file, or have someone manually set the registry entries, or a vbscript, or….
      Plus by using the WMI Filter, if you move the PDCe role to another server, at the next group policy refresh cycle (or running gpupdate /force or rebooting the new PDCe) the new PDCe instantly becomes the authoritative time server. Also, what happens if the PDCe is demoted and you were not aware that role was on the server? Using this the DC that receives the PDCe role will automatically become the new authoritative time server and you didn’t have to think about it.

      The only reason I wrote this script (and went through the learning process) is because someone asked how to create the GPO using PoSH. I like learning and challenges that require me to learn.

      Thanks

      Webster

      Reply

    • Karl Schantz Says:

      This will be a very valuable advantage to me. I have to travel around and perform assessments on our subordinate units to ensure that they have their PDCe NTP settings correct. Until now, I have had to provide written documentation and over the shoulder direction, which usually results in someone fat fingering something while creating the GPO or WMI filter. Now I can just give them the script and have them run it. Also, using Jeremy’s modification, I don’t have to copy the WMI module over, because the required piece is in the script.

      Reply

Leave a Reply