Before Windows 10, I was using a simple batch script on my main domain controller which used w32tm (w32time service) to get the correct time from an external source.
The clients in the domain got the time from the domain controllers without having set anything specifically there.
By upgrading to Windows 10 / Server 2016, something seems to have changed regarding time. Not all clients received the correct time any more.
Here are the steps I did to solve the issue.
One domain controller should get the time from time.windows.com.
All clients and other domain controllers or servers should get the time from this DC.
GPO for DC
Use group policies to configure NTP settings.
First, create a WMI filter using this statement:
Select * from Win32_ComputerSystem where DomainRole = 5
Then create a new GPO, link it under “Domain Controllers” and combine it with the WMI filter, so it is only applied on the main DC (PDC emulator).
Open your policy object and go to:
Computer configuration -> Administrative templates -> System -> Windows Time Service -> Time providers
Enable “NTP Client” and “NTP Server”.
Configure NTP client, e.g. with external source time.windows.com,0x1 or pool.ntp.org,0x1. For type, choose “NTP”.
Note: If your DC is a virtual machine, make sure the time integration service for this VM is disabled!
GPO for clients
E.g. in your default domain policy, basically set the same settings, BUT instead of the external URL enter yourDCName.yourDomain.local,0x1.
With this setting, clients should sync the time from your main domain controller.
Run “gpupdate /force” on the DC and on one test client (no logoff necessary), then run “w32tm /query /status” on both machines.
You should see the time servers as source you set in your GPOs before.
Run “w32tm /resync” on both machines, which should end with a success message.
If not, check your event log.