{"id":1153,"date":"2014-01-10T00:57:41","date_gmt":"2014-01-09T16:57:41","guid":{"rendered":"http:\/\/www.jhouseconsulting.com\/?p=1153"},"modified":"2017-02-22T17:21:22","modified_gmt":"2017-02-22T09:21:22","slug":"script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy","status":"publish","type":"post","link":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2014\/01\/10\/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153","title":{"rendered":"Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy"},"content":{"rendered":"<p>This PowerShell script will create the Time Server GPOs and WMI Filters for the Domain Controllers&nbsp;to ensure your time server hierarchy remains correct for transfer and seizure of the PDC emulator&nbsp;FSMO role holder.<\/p>\n<p>However, before I talk about the script it&#8217;s important to provide some background information on the required settings for the Windows Time Service (W32Time), as many tend to get it wrong.<\/p>\n<p>The three (3) important settings are:<\/p>\n<ul>\n<li>NTPServer<\/li>\n<li>Type<\/li>\n<li>AnnounceFlags<!--more--><\/li>\n<\/ul>\n<p><strong>NTPServer<\/strong>:&nbsp;Multiple (a pool) of NTP servers can be added by separating them with a space. This setting is used only when Type is set to NTP or AllSync.&nbsp;Additional options can be added to the end of each NTP server in the form of hex codes related to the associating mode it will run in.<\/p>\n<ul>\n<li>0x01 &#8211; Special Interval &#8211; Specifies to use a special poll interval set by the &#8220;SpecialPollInterval&#8221; parameter.<\/li>\n<li>0x02 &#8211; Use as Fallback Only<\/li>\n<li>0x04 &#8211; (Default) Symmetric Active<\/li>\n<li>0x08 &#8211; NTP Request in Client Mode<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">These values can be combined. For Example: 0x09 means SpecialInterval and NTP request in Client mode.<\/p>\n<p><em>Most environments will typically use option 0x08.<\/em><\/p>\n<p><strong style=\"line-height: 1.5em;\">Type<\/strong><span style=\"line-height: 1.5em;\">: Indicates which peers to accept synchronization from:<\/span><\/p>\n<ul>\n<li>NoSync &#8211; The time service does not synchronize with other sources.<\/li>\n<li>NTP &#8211; The time service synchronizes from the servers specified in the NtpServer registry entry.<\/li>\n<li>NT5DS&nbsp;(Default) &#8211; The time service synchronizes from the domain hierarchy.<\/li>\n<li>AllSync &#8211;&nbsp;The time service uses all the available synchronization mechanisms. It uses the domain hierarchy first and will fall back to the value set for the NTP server if the domain hierarchy is not available.<\/li>\n<\/ul>\n<p><em>The PDCe for the forest root domain should be set to NTP. All other DCs should be NT5DS.<\/em><br \/>\n<em>The PDCe for the child (non-forest root) domains should be set to AllSync. All other DCs should be NT5DS.<\/em><\/p>\n<p><strong>AnnounceFlags<\/strong>:&nbsp;The value define how the DC announces itself as time server:<\/p>\n<ul>\n<li>0x00 &#8211; Timeserv_Announce_No, Reliable_Timeserv_Announce_No. The domain controller does not advertise time service.<\/li>\n<li>0x01 &#8211; Timeserv_Announce_Yes. The domain controller always advertises time service.<\/li>\n<li>0x02 &#8211; Timeserv_Announce_Auto. The domain controller automatically determines whether it should advertise time service.<\/li>\n<li>0x04 &#8211; Reliable_Timeserv_Announce_Yes. The domain controller will always advertise reliable time service.<\/li>\n<li>0x08 &#8211; Reliable_Timeserv_Announce_Auto. The domain controller automatically determines whether it should advertise reliable time service.<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">This value combines flags using the bitwise OR operator. For each position in the binary value, if any flag has the value of 1 in the corresponding position, the combined value does as well. For example, the flags 1 and 8, which are 0001 and 1000 in binary, are 1001 when combined with bitwise OR.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/AnnounceFlags.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-1154 aligncenter\" title=\"AnnounceFlags\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/AnnounceFlags.png\" alt=\"AnnounceFlags\" width=\"645\" height=\"167\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/AnnounceFlags.png 922w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/AnnounceFlags-300x78.png 300w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/AnnounceFlags-768x199.png 768w\" sizes=\"(max-width: 645px) 100vw, 645px\" \/><\/a><\/p>\n<p style=\"padding-left: 30px;\">0 simply means no announcements, and 1, 2, 4, 8 are the individual bits that decide whether the according function will be announced.<br \/>\nA value of 5 simply is 1+4, so &#8220;The domain controller always advertises time service.&#8221; and &#8220;The domain controller will always advertise reliable time service.&#8221;<br \/>\n10 (0xa) means 2+8, so &#8220;The domain controller automatically determines whether it should advertise time service.&#8221; and &#8220;The domain controller automatically determines whether it should advertise reliable time service.&#8221;<\/p>\n<p style=\"padding-left: 30px;\"><em>It\u2019s been reported that even with Announceflags defaulting to 10 the PDCe may not announce itself as a reliable time server under certain scenarios. Therefore setting it to 5 on the PDCe is a considered best practice. All other DCs should be set to 10 as per default. Setting multiple DCs to 5 can cause problems, as explained by&nbsp;<a href=\"https:\/\/dimitri.janczak.net\/\" target=\"_blank\">Dimitri Janczak<\/a> in his&nbsp;<a href=\"https:\/\/dimitri.janczak.net\/2017\/02\/07\/ntpclient-error-0x800706e1\/\" target=\"_blank\">NtpClient Error 0x800706E1<\/a> article.<\/em><\/p>\n<p>Whilst Microsoft has published some&nbsp;<a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc773263(v=ws.10).aspx\" target=\"_blank\">Windows Time Service Tools and Settings<\/a>&nbsp;on TechNet, the three (3) listed above are the most important.<\/p>\n<p>Polling Intervals and Clock Corrections Explained:<\/p>\n<ul>\n<li><strong>SpecialPollInterval<\/strong>: This value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of the MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. The default value is 3600 seconds (1 hour).<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\"><em>If you&#8217;re going to use the SpecialPollInterval, you may consider setting it to 900 seconds (15 minutes).<\/em><\/p>\n<ul>\n<li><strong style=\"line-height: 1.5em;\">MinPollInterval<\/strong><span style=\"line-height: 1.5em;\">: This value, expressed in log base-2 seconds, controls the minimum polling interval that defines the minimum amount of time between polls of a peer. The default value is 6, which is computed as 2 to the power of 6 and equals 64 seconds.<\/span><\/li>\n<li><strong style=\"line-height: 1.5em;\">MaxPollInterval<\/strong><span style=\"line-height: 1.5em;\">: This value, expressed in log base-2 seconds, controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. The default value is 10, which is computed as 2 to the power of 10 and equals 1,024 seconds (about 17 minutes). The time service itself is considered unsynchronized after 1.5 times the number of seconds that are specified by this entry have elapsed. NTP specifies that the maximum clock age is 86,400 seconds. Therefore, if the value of this entry is greater than 15 (32,768 seconds), peers will eventually ignore this server.<\/span><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\"><em>The MinPollInterval and MaxPollInterval values should not be changed, but be aware that as the actual value in seconds is calculated as a log base-2 number, the time will increase&nbsp;exponentially as you increase these values.<\/em><\/p>\n<ul>\n<li><strong>MaxNegPhaseCorrection<\/strong>: This value, expressed in seconds, controls the maximum allowable clock correction that can be made in a reverse direction. If a time sample is received that indicates a time in the past (as compared to the client&#8217;s local clock) that has a time difference that is greater than the MaxNegPhaseCorrection value, the time sample is discarded. If this happens, the Windows Time source logs an event in the System log of Event Viewer. The default value is 172,800 seconds (48 hours).<\/li>\n<li><strong>MaxPosPhaseCorrection<\/strong>: This value, expressed in seconds, controls the maximum allowable clock correction that can be made in a forward direction. If a time sample is received that indicates a time in the future (as compared to the client&#8217;s local clock) that has a time difference greater than the MaxPosPhaseCorrection value, the time sample is discarded. If this happens, the Windows Time source logs an event in the System log of Event Viewer. The default value is 172,800 seconds (48 hours).<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\"><em style=\"line-height: 1.5em;\">Some consultants recommend changing the MaxNegPhaseCorrection and MaxPosPhaseCorrection. The Microsoft recommendation is to leave them at their&nbsp;default setting of 17,2800 seconds (48 hours).<\/em><\/p>\n<p><span style=\"line-height: 1.5em;\">Furthermore, it&#8217;s also extremely important to ensure your virtual Domain Controllers are correctly configured.<\/span><\/p>\n<p>I highly recommend reading the following articles for Hyper-V environments:<\/p>\n<ul>\n<li><a href=\"http:\/\/jorgequestforknowledge.wordpress.com\/2013\/11\/17\/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations-again\/\" target=\"_blank\">Time Sync Recommendations For Virtual DCs On Hyper-V \u2013 Change In Recommendations (AGAIN)<\/a><\/li>\n<li><a href=\"http:\/\/blogs.msdn.com\/b\/virtual_pc_guy\/archive\/2010\/11\/19\/time-synchronization-in-hyper-v.aspx\" target=\"_blank\">Time Synchronization in Hyper-V<\/a><\/li>\n<li><a href=\"http:\/\/kevingreeneitblog.blogspot.com.au\/2011\/01\/hyper-v-time-synchronization-on-windows.html\" target=\"_blank\">Hyper V Time Synchronization on a Windows Based Network<\/a><\/li>\n<\/ul>\n<p>The script is fully documented, and is based on a previous script written by <a href=\"http:\/\/carlwebster.com\/creating-a-group-policy-using-microsoft-powershell-to-configure-the-authoritative-time-server\/\" target=\"_blank\">Carl Webster<\/a>.<\/p>\n<p>The following screen shot shows the screen output.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/CreateTimeServerGPOs-Output.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-1161\" title=\"CreateTimeServerGPOs-Output\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/CreateTimeServerGPOs-Output.png\" alt=\"CreateTimeServerGPOs-Output\" width=\"650\" height=\"250\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/CreateTimeServerGPOs-Output.png 650w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/CreateTimeServerGPOs-Output-300x115.png 300w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/a><\/p>\n<p style=\"text-align: left;\">You can then run the Get-GPO cmdlet to verify that the GPOs were created, User Settings Disabled, and the WMI Filters applied&nbsp;.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters-Verify.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-1166\" title=\"TimeServerGPOsandWMIFilters-Verify\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters-Verify.png\" alt=\"TimeServerGPOsandWMIFilters-Verify\" width=\"647\" height=\"514\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters-Verify.png 647w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters-Verify-300x238.png 300w\" sizes=\"(max-width: 647px) 100vw, 647px\" \/><\/a><\/p>\n<p style=\"text-align: left;\">The following screen shot shows the GPOs linked to the Domain Controllers OU and WMI Filters .<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1162\" title=\"TimeServerGPOsandWMIFilters\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters.png\" alt=\"TimeServerGPOsandWMIFilters\" width=\"440\" height=\"498\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters.png 440w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters-265x300.png 265w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/TimeServerGPOsandWMIFilters-300x340.png 300w\" sizes=\"(max-width: 440px) 100vw, 440px\" \/><\/a><\/p>\n<p>It&#8217;s important to note that the script creates the GPOs with the Enabled (VMICTimeProvider) registry preference value disabled as per the following screen shot.<\/p>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/2014\/01\/10\/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153\/vmictimeprovider1\" rel=\"attachment wp-att-1811\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1811\" title=\"Enabled (VMICTimeProvider) Disabled\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider1.png\" alt=\"Enabled (VMICTimeProvider) Disabled\" width=\"650\" height=\"231\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider1.png 1252w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider1-300x107.png 300w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider1-768x273.png 768w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider1-1024x364.png 1024w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/a><\/p>\n<p>You then need to manually set Item-Level targeting before enabling the Enabled value so that this still gets applied to virtual machines ONLY as per best practice. We do it this way because there is no simple way to create\/set item-level targeting settings via PowerShell without using a 3rd party product like SDM Software&#8217;s GP Automation Engine (GPAE).<\/p>\n<ul>\n<li>Right click on the Enabled preference setting<\/li>\n<li>Select Properties<\/li>\n<li>Select the Common tab<\/li>\n<li>Select Item-Level targeting to enable it<\/li>\n<li>Select Targeting&#8230;<\/li>\n<li>Add a Registry Match as per the following settings represented in the screen shot below:\n<ul>\n<li>Match type: Match value data<\/li>\n<li>Value date match type: Substring match<\/li>\n<li>Hive: HKEY_LOCAL_MACHINE<\/li>\n<li>Key path: SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\VMICTimeProvider<\/li>\n<li>Value name: DLLName<\/li>\n<li>Value type: REG_EXPAND_SZ<\/li>\n<li>Substring: vmictimeprovider.dll<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/2014\/01\/10\/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153\/vmictimeprovider3\" rel=\"attachment wp-att-1807\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1807\" title=\"Item-Level Targeting - Registry Match\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider3.png\" alt=\"Item-Level Targeting - Registry Match\" width=\"651\" height=\"323\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider3.png 995w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider3-300x149.png 300w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider3-768x381.png 768w\" sizes=\"(max-width: 651px) 100vw, 651px\" \/><\/a><\/p>\n<ul>\n<li>Select OK<\/li>\n<li>Select OK<\/li>\n<li>Right click on Enabled &gt; All Tasks &gt; Enable<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.jhouseconsulting.com\/2014\/01\/10\/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153\/vmictimeprovider4\" rel=\"attachment wp-att-1810\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1810\" title=\"Enabled (VMICTimeProvider) Enabled\" src=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider4.png\" alt=\"Enabled (VMICTimeProvider) Enabled\" width=\"650\" height=\"232\" srcset=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider4.png 1250w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider4-300x107.png 300w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider4-768x274.png 768w, https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-content\/uploads\/2014\/01\/VMICTimeProvider4-1024x365.png 1024w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/a><\/p>\n<p>You&#8217;ll need to do this for all 3 GPOs and then the implementation is complete.<\/p>\n<p>Here is the <a  data-e-Disable-Page-Transition=\"true\" class=\"download-link\" title=\"\" href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/download\/1706\/?tmstv=1776914852\" rel=\"nofollow\" id=\"download-link-1706\" data-redirect=\"false\" >\n\tCreateTimeServerGPOs.ps1\t(2137 downloads\t)\n<\/a>\n&nbsp;script:<\/p>\n<pre class=\"brush: powershell; auto-links: false; title: ; toolbar: false; notranslate\" title=\"\">\r\n#&gt;\r\n  This script will create the Time Server GPOs and WMI Filters for the Domain Controllers\r\n  to ensure your time server hierarchy remains correct for transfer and seizure of the PDC(e)\r\n  emulator FSMO role holder. The policies will apply on the next policy refresh or by forcing\r\n  a group policy refresh.\r\n\r\n  WMI Filters are created via the New-ADObject cmdlet in the Active Directory module, which\r\n  makes them of type &quot;Microsoft.ActiveDirectory.Management.ADObject&quot;. However, the Group\r\n  Policy module requires that you use an object of type &quot;Microsoft.GroupPolicy.WmiFilter&quot;\r\n  when adding a wmifilter using the New-GPO cmdlet. Therefore there is no default way to use\r\n  the Group Policy PowerShell cmdlets to add WMI Filters to GPOs without a bit or trickery.\r\n  As Carl documented there is a &quot;Group Policy WMI filter cmdlet module&quot; available for download\r\n  from here: http:\/\/gallery.technet.microsoft.com\/scriptcenter\/Group-Policy-WMI-filter-38a188f3\r\n  But if you reverse engineer the code Bin Yi from Microsoft created, you'll see that he has\r\n  simply and cleverly converted a &quot;Microsoft.ActiveDirectory.Management.ADObject&quot; object type\r\n  to a &quot;Microsoft.GroupPolicy.WmiFilter&quot; object type. I didn't want to include the whole module\r\n  for the simple task I needed, so have directly used the ConvertTo-WmiFilter function from the\r\n  GPWmiFilter.psm1 module and tweaked it for my requirements. Many thanks to Bin.\r\n\r\n  If your Active Directory is based on Windows 2003 or has been upgraded from Windows 2003, you\r\n  may may have an issue with System Owned Objects. If you receive an error message along the\r\n  lines of &quot;The attribute cannot be modified because it is owned by the system&quot;, you'll need to\r\n  set the following registry value:\r\n    Key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters\r\n    Type: REG_DWORD\r\n    Value: Allow System Only Change\r\n    Data: 1\r\n\r\n  Disable the Hyper-V time synchronization integration service:\r\n  - The time source of &quot;VM IC Time Synchronization Provider&quot; (vmictimeprovider.dll) is enabled\r\n    on Virtual Machines as part of the Hyper-V Integration Services. The following articles\r\n    explain it in more depth and how it should be configured:\r\n    - Time Sync Recommendations For Virtual DCs On Hyper-V \u2013 Change In Recommendations (AGAIN)\r\n      <blockquote class=\"wp-embedded-content\" data-secret=\"KT7Kt2fpBE\"><a href=\"https:\/\/jorgequestforknowledge.wordpress.com\/2013\/11\/17\/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations-again\/\">(2013-11-17) Time Sync Recommendations For Virtual DCs On Hyper-V &#8211; Change In Recommendations&nbsp;(AGAIN)<\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;(2013-11-17) Time Sync Recommendations For Virtual DCs On Hyper-V &#8211; Change In Recommendations&nbsp;(AGAIN)&#8221; &#8212; Jorge&#039;s Quest For Knowledge!\" src=\"https:\/\/jorgequestforknowledge.wordpress.com\/2013\/11\/17\/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations-again\/embed\/#?secret=wCqIqT4ZGQ#?secret=KT7Kt2fpBE\" data-secret=\"KT7Kt2fpBE\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\r\n    - Time Synchronization in Hyper-V:\r\n      http:\/\/blogs.msdn.com\/b\/virtual_pc_guy\/archive\/2010\/11\/19\/time-synchronization-in-hyper-v.aspx\r\n    - Hyper V Time Synchronization on a Windows Based Network:\r\n      http:\/\/kevingreeneitblog.blogspot.com.au\/2011\/01\/hyper-v-time-synchronization-on-windows.html\r\n\r\n  Recommended Default Values for:\r\n  - MaxPosPhaseCorrection: 172800\r\n  - MaxNegPhaseCorrection: 172800\r\n\r\n  Recommended Default Values for Domain Controllers:\r\n  - SpecialPollInterval: 3600\r\n    This is only initiated on workgroup servers and the PDCe when a flag of 0x1 or 0\u00d79 is\r\n    specified against any of the manually specified NTP servers.\r\n    References:\r\n    - KB2638243 to understand more about when SpecialPollInterval is used.\r\n    - https:\/\/nchrissos.wordpress.com\/2013\/04\/26\/configuring-time-on-windows-2008-r2-servers\/\r\n\r\n  Even after a GPUpdate has occurred and a restart of the Windows Time (W32Time) service you\r\n  may find that the output of a &quot;w32tm \/query \/source&quot; and &quot;w32tm \/query \/status&quot; shows that\r\n  it's source is the &quot;Local CMOS Clock&quot;. Simply run the &quot;w32tm \/resync \/rediscover&quot; command\r\n  to force the system to rediscover from its configured sources. This seems to address the\r\n  issue immediately.\r\n\r\n  Script Name: CreateTimeServerGPOs.ps1\r\n  Release 1.2\r\n  Written by Jeremy@jhouseconsulting.com 19\/10\/2015\r\n\r\n  Original script was written by Carl Webster:\r\n  - Carl Webster, CTP and independent consultant\r\n  - webster@carlwebster.com\r\n  - @carlwebster on Twitter\r\n  - http:\/\/www.CarlWebster.com\r\n  - It can be found here:\r\n    http:\/\/carlwebster.com\/creating-a-group-policy-using-microsoft-powershell-to-configure-the-authoritative-time-server\/\r\n\r\n&lt;#\r\n\r\n#-------------------------------------------------------------\r\nparam(&#x5B;switch]$whatif)\r\n\r\nSet-StrictMode -Version 2.0\r\n\r\n$VerbosePreference = 'Continue'\r\n$WarningPreference = 'Continue'\r\n$ErrorPreference = 'Continue'\r\n\r\nif ($whatif.IsPresent) { \r\n  $WhatIfPreference = $True\r\n  Write-Verbose &quot;WhatIf Enabled&quot; \r\n} Else {\r\n  $WhatIfPreference = $False\r\n}\r\n\r\n#-------------------------------------------------------------\r\n# Define variables specific to your Active Directory environment\r\n\r\n# Set this to the NTP Servers the PDCe will sync with\r\n$TimeServers = &quot;0.au.pool.ntp.org,0x8 1.au.pool.ntp.org,0x8 2.au.pool.ntp.org,0x8 3.au.pool.ntp.org,0x8&quot;\r\n\r\n# This is the name of the GPO for the PDCe policy\r\n$PDCeGPOName = &quot;+ SERVER Set PDCe Domain Controller as Authoritative Time Server v1.0&quot;\r\n\r\n# This is the WMI Filter for the PDCe Domain Controller\r\n$PDCeWMIFilter = @(&quot;PDCe Domain Controller&quot;,\r\n                   &quot;Queries for the domain controller that holds the PDC emulator FSMO role&quot;,\r\n                   &quot;root\\CIMv2&quot;,\r\n                   &quot;Select * from Win32_ComputerSystem where DomainRole=5&quot;)\r\n\r\n# This is the name of the GPO for the non-PDCe policy\r\n$NonPDCeGPOName = &quot;+ SERVER Set Time Settings on non-PDCe Domain Controllers v1.0&quot;\r\n\r\n# This is the WMI Filter for the non-PDCe Domain Controllers\r\n$NonPDCeWMIFilter = @(&quot;Non-PDCe Domain Controllers&quot;,\r\n                      &quot;Queries for all domain controllers except for the one that holds the PDC emulator FSMO role&quot;,\r\n                      &quot;root\\CIMv2&quot;,\r\n                      &quot;Select * from Win32_ComputerSystem where DomainRole=4&quot;)\r\n\r\n# This is the name of the GPO for the Domain Member policy\r\n$DomainMembersGPOName = &quot;+ COMPUTER Set Time Settings on all Domain Members v1.0&quot;\r\n\r\n# Set this to True to include the registry value to disable the Virtual Host Time Synchronization provider (VMICTimeProvider)\r\n$DisableVirtualHostTimeSynchronization = $True\r\n\r\n# Set this to true to set the Allow System Only Change registry value\r\n$EnableAllowSystemOnlyChange = $True\r\n\r\n# Set this to the number of seconds you would like to wait for Active Directory replication\r\n# to complete before retrying to add the WMI filter to the Group Policy Object (GPO).\r\n$SleepTimer = 10\r\n\r\n#-------------------------------------------------------------\r\n\r\n# Import the Active Directory Module\r\nImport-Module ActiveDirectory -WarningAction SilentlyContinue\r\nif ($Error.Count -eq 0) {\r\n  Write-Verbose &quot;Successfully loaded Active Directory Powershell's module&quot;\r\n} else {\r\n  Write-Error &quot;Error while loading Active Directory Powershell's module : $Error&quot;\r\n  exit\r\n}\r\n\r\n# Import the Group Policy Module\r\nImport-Module GroupPolicy -WarningAction SilentlyContinue\r\nif ($Error.Count -eq 0) {\r\n  Write-Verbose &quot;Successfully loaded Group Policy Powershell's module&quot;\r\n} else {\r\n  Write-Error &quot;Error while loading Group Policy Powershell's module : $Error&quot;\r\n  exit\r\n}\r\n\r\n#-------------------------------------------------------------\r\n\r\n# Get the Current Domain &amp;amp; Forest Information\r\n$DomainInfo = &#x5B;System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()\r\n$DomainName = $DomainInfo.Name\r\n$ForestName = $DomainInfo.Forest.Name\r\n\r\n# Get AD Distinguished Name\r\n$DomainDistinguishedName = $DomainInfo.GetDirectoryEntry() | select -ExpandProperty DistinguishedName  \r\n\r\nIf ($DomainName -eq $ForestName) {\r\n  $IsForestRoot = $True\r\n} Else {\r\n  $IsForestRoot = $False\r\n}\r\n\r\n#-------------------------------------------------------------\r\n\r\nfunction ConvertTo-WmiFilter(&#x5B;Microsoft.ActiveDirectory.Management.ADObject&#x5B;]] $ADObject)\r\n{\r\n  # The concept of this function has been taken directly from the GPWmiFilter.psm1 module\r\n  # written by Bin Yi from Microsoft. I have modified it to allow for the challenges of\r\n  # Active Directory replication. It will return the WMI filter as an object of type\r\n  # &quot;Microsoft.GroupPolicy.WmiFilter&quot;.\r\n  $gpDomain = New-Object -Type Microsoft.GroupPolicy.GPDomain\r\n  $ADObject | ForEach-Object {\r\n    $path = 'MSFT_SomFilter.Domain=&quot;' + $gpDomain.DomainName + '&quot;,ID=&quot;' + $_.Name + '&quot;'\r\n    $filter = $NULL\r\n    try\r\n      {\r\n        $filter = $gpDomain.GetWmiFilter($path)\r\n      }\r\n    catch\r\n      {\r\n        write-Error &quot;The WMI filter could not be found.&quot;\r\n      }\r\n    if ($filter)\r\n      {\r\n        &#x5B;Guid]$Guid = $_.Name.Substring(1, $_.Name.Length - 2)\r\n        $filter | Add-Member -MemberType NoteProperty -Name Guid -Value $Guid -PassThru | Add-Member -MemberType NoteProperty -Name Content -Value $_.&quot;msWMI-Parm2&quot; -PassThru\r\n      } else {\r\n        write-Warning &quot;Waiting $SleepTimer seconds for Active Directory replication to complete.&quot;\r\n        start-sleep -s $SleepTimer\r\n        write-warning &quot;Trying again to retrieve the WMI filter.&quot;\r\n        ConvertTo-WmiFilter $ADObject\r\n      }\r\n  }\r\n}\r\n#-------------------------------------------------------------\r\n\r\nfunction Enable-ADSystemOnlyChange(&#x5B;switch] $disable)\r\n{\r\n    # This function has been taken directly from the GPWmiFilter.psm1\r\n    # module written by Bin Yi from Microsoft.\r\n    $valueData = 1\r\n    if ($disable)\r\n    {\r\n        $valueData = 0\r\n    }\r\n    $key = Get-Item HKLM:\\System\\CurrentControlSet\\Services\\NTDS\\Parameters -ErrorAction SilentlyContinue\r\n    if (!$key) {\r\n        New-Item HKLM:\\System\\CurrentControlSet\\Services\\NTDS\\Parameters -ItemType RegistryKey | Out-Null\r\n    }\r\n    $kval = Get-ItemProperty HKLM:\\System\\CurrentControlSet\\Services\\NTDS\\Parameters -Name &quot;Allow System Only Change&quot; -ErrorAction SilentlyContinue\r\n    if (!$kval) {\r\n        New-ItemProperty HKLM:\\System\\CurrentControlSet\\Services\\NTDS\\Parameters -Name &quot;Allow System Only Change&quot; -Value $valueData -PropertyType DWORD | Out-Null\r\n    } else {\r\n        Set-ItemProperty HKLM:\\System\\CurrentControlSet\\Services\\NTDS\\Parameters -Name &quot;Allow System Only Change&quot; -Value $valueData | Out-Null\r\n    }\r\n}\r\n \r\n#-------------------------------------------------------------\r\n\r\nFunction Create-Policy {\r\n  param($GPOName,$TargetOU,$NtpServer,$AnnounceFlags,$Type,$MaxPosPhaseCorrection,$MaxNegPhaseCorrection,$SpecialPollInterval,$WMIFilter)\r\n\r\n  If ($WMIFilter -ne &quot;none&quot;) {\r\n    $UseAdministrator = $False\r\n    If ($UseAdministrator -eq $False) {\r\n      $msWMIAuthor = &#x5B;System.Security.Principal.WindowsIdentity]::GetCurrent().Name\r\n    } Else {\r\n      $msWMIAuthor = &quot;Administrator@&quot; + &#x5B;System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain().name\r\n    }\r\n\r\n    # Create WMI Filter\r\n    $WMIGUID = &#x5B;string]&quot;{&quot;+(&#x5B;System.Guid]::NewGuid())+&quot;}&quot;\r\n    $WMIDN = &quot;CN=&quot;+$WMIGUID+&quot;,CN=SOM,CN=WMIPolicy,CN=System,&quot;+$DomainDistinguishedName\r\n    $WMICN = $WMIGUID\r\n    $WMIdistinguishedname = $WMIDN\r\n    $WMIID = $WMIGUID\r\n \r\n    $now = (Get-Date).ToUniversalTime()\r\n    $msWMICreationDate = ($now.Year).ToString(&quot;0000&quot;) + ($now.Month).ToString(&quot;00&quot;) + ($now.Day).ToString(&quot;00&quot;) + ($now.Hour).ToString(&quot;00&quot;) + ($now.Minute).ToString(&quot;00&quot;) + ($now.Second).ToString(&quot;00&quot;) + &quot;.&quot; + ($now.Millisecond * 1000).ToString(&quot;000000&quot;) + &quot;-000&quot; \r\n    $msWMIName = $WMIFilter&#x5B;0]\r\n    $msWMIParm1 = $WMIFilter&#x5B;1] + &quot; &quot;\r\n    $msWMIParm2 = &quot;1;3;10;&quot; + $WMIFilter&#x5B;3].Length.ToString() + &quot;;WQL;&quot; + $WMIFilter&#x5B;2] + &quot;;&quot; + $WMIFilter&#x5B;3] + &quot;;&quot;\r\n\r\n    # msWMI-Name: The friendly name of the WMI filter\r\n    # msWMI-Parm1: The description of the WMI filter\r\n    # msWMI-Parm2: The query and other related data of the WMI filter\r\n    $Attr = @{&quot;msWMI-Name&quot; = $msWMIName;&quot;msWMI-Parm1&quot; = $msWMIParm1;&quot;msWMI-Parm2&quot; = $msWMIParm2;&quot;msWMI-Author&quot; = $msWMIAuthor;&quot;msWMI-ID&quot;=$WMIID;&quot;instanceType&quot; = 4;&quot;showInAdvancedViewOnly&quot; = &quot;TRUE&quot;;&quot;distinguishedname&quot; = $WMIdistinguishedname;&quot;msWMI-ChangeDate&quot; = $msWMICreationDate; &quot;msWMI-CreationDate&quot; = $msWMICreationDate} \r\n    $WMIPath = (&quot;CN=SOM,CN=WMIPolicy,CN=System,&quot;+$DomainDistinguishedName) \r\n\r\n    $array = @()\r\n    $SearchRoot = &#x5B;adsi](&quot;LDAP:\/\/CN=SOM,CN=WMIPolicy,CN=System,&quot;+$DomainDistinguishedName)\r\n    $search = new-object System.DirectoryServices.DirectorySearcher($SearchRoot)\r\n    $search.filter = &quot;(objectclass=msWMI-Som)&quot;\r\n    $results = $search.FindAll()\r\n    ForEach ($result in $results) {\r\n      $array += $result.properties&#x5B;&quot;mswmi-name&quot;].item(0)\r\n    }\r\n\r\n    if ($array -notcontains $msWMIName) {\r\n      write-Verbose &quot;Creating the $msWMIName WMI Filter...&quot;\r\n      If ($EnableAllowSystemOnlyChange) {\r\n        Enable-ADSystemOnlyChange\r\n      }\r\n      $SOMContainer = &#x5B;adsi](&quot;LDAP:\/\/CN=SOM,CN=WMIPolicy,CN=System,&quot;+$DomainDistinguishedName)\r\n      $NewWMIFilter = $SOMContainer.create('msWMI-Som',&quot;CN=&quot;+$WMIGUID)\r\n      $NewWMIFilter.put(&quot;msWMI-Name&quot;,$msWMIName)\r\n      $NewWMIFilter.put(&quot;msWMI-Parm1&quot;,$msWMIParm1)\r\n      $NewWMIFilter.put(&quot;msWMI-Parm2&quot;,$msWMIParm2)\r\n      $NewWMIFilter.put(&quot;msWMI-Author&quot;,$msWMIAuthor)\r\n      $NewWMIFilter.put(&quot;msWMI-ID&quot;,$WMIID)\r\n      $NewWMIFilter.put(&quot;instanceType&quot;,4)\r\n      $NewWMIFilter.put(&quot;showInAdvancedViewOnly&quot;,&quot;TRUE&quot;)\r\n      $NewWMIFilter.put(&quot;distinguishedname&quot;,$WMIdistinguishedname)\r\n      $NewWMIFilter.put(&quot;msWMI-ChangeDate&quot;,$msWMICreationDate)\r\n      $NewWMIFilter.put(&quot;msWMI-CreationDate&quot;,$msWMICreationDate)\r\n      If ($WhatIfPreference -eq $False) {\r\n        $NewWMIFilter.setinfo()\r\n      }\r\n      write-Verbose &quot;Waiting $SleepTimer seconds for Active Directory replication to complete.&quot;\r\n      start-sleep -s $SleepTimer\r\n    } Else {\r\n      write-Warning &quot;The $msWMIName WMI Filter already exists&quot;\r\n    }\r\n\r\n    # Get WMI filter\r\n&amp;lt;#\r\n    $SearchRoot = &#x5B;adsi](&quot;LDAP:\/\/CN=SOM,CN=WMIPolicy,CN=System,&quot;+$DomainDistinguishedName)\r\n    $search = new-object System.DirectoryServices.DirectorySearcher($SearchRoot)\r\n    $search.filter = &quot;(&amp;amp;(objectclass=msWMI-Som)(mswmi-name=$msWMIName))&quot;\r\n    $results = $search.FindAll()\r\n    ForEach ($result in $results) {\r\n      # To create a WmiFilter object using the ConvertTo-WmiFilter function we need to\r\n      # first create an object with the following 7 properties:\r\n      # DistinguishedName, msWMI-Name, msWMI-Parm1, msWMI-Parm2, Name, ObjectClass, ObjectGUID\r\n      #$WMIFilterADObject = New-Object -TypeName Microsoft.ActiveDirectory.Management.ADObject\r\n      # There is an Get-ADSIResult function written by Warren Frame that will achieve this:\r\n      # - https:\/\/github.com\/RamblingCookieMonster\/PowerShell\/blob\/master\/Get-ADSIObject.ps1\r\n      # - https:\/\/gallery.technet.microsoft.com\/scriptcenter\/Get-ADSIObject-Portable-ae7f9184\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;DistinguishedName&quot; -value $result.properties&#x5B;&quot;distinguishedname&quot;].item(0)\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;msWMI-Name&quot; -value $result.properties&#x5B;&quot;mswmi-name&quot;].item(0)\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;msWMI-Parm1&quot; -value $result.properties&#x5B;&quot;mswmi-parm1&quot;].item(0)\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;msWMI-Parm2&quot; -value $($result.properties&#x5B;&quot;mswmi-parm2&quot;].item(0))\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;Name&quot; -value $result.properties&#x5B;&quot;name&quot;].item(0)\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;ObjectClass&quot; -value &quot;msWMI-Som&quot;\r\n      ## Convert the ObjectGUID property byte array to a GUID\r\n      #&#x5B;GUID]$GUID = $result.properties&#x5B;&quot;ObjectGUID&quot;].item(0)\r\n      #$WMIFilterADObject | Add-Member -MemberType NoteProperty -Name &quot;ObjectGUID&quot; -value $GUID\r\n\r\n      $WMIFilterADObject = New-Object -TypeName Microsoft.ActiveDirectory.Management.ADObject\r\n      $WMIFilterADObject.DistinguishedName = $result.properties&#x5B;&quot;distinguishedname&quot;].item(0)\r\n      $WMIFilterADObject.&quot;msWMI-Name&quot; = $result.properties&#x5B;&quot;mswmi-name&quot;].item(0)\r\n      $WMIFilterADObject.&quot;msWMI-Parm1&quot; = $result.properties&#x5B;&quot;mswmi-parm1&quot;].item(0)\r\n      $WMIFilterADObject.&quot;msWMI-Parm2&quot; = ($result.properties&#x5B;&quot;mswmi-parm2&quot;].item(0)).ToString()\r\n      #$WMIFilterADObject.Name = $result.properties&#x5B;&quot;name&quot;].item(0)\r\n      $WMIFilterADObject.ObjectClass = &quot;msWMI-Som&quot;\r\n      # Convert the ObjectGUID property byte array to a GUID\r\n      &#x5B;GUID]$GUID = $result.properties&#x5B;&quot;ObjectGUID&quot;].item(0)\r\n      $WMIFilterADObject.ObjectGUID = $GUID\r\n    }\r\n#&amp;gt;\r\n    $WMIFilterADObject = Get-ADObject -Filter 'objectClass -eq &quot;msWMI-Som&quot;' -Properties &quot;msWMI-Name&quot;,&quot;msWMI-Parm1&quot;,&quot;msWMI-Parm2&quot; | \r\n                Where {$_.&quot;msWMI-Name&quot; -eq &quot;$msWMIName&quot;}\r\n    #$WMIFilterADObject\r\n    #$WMIFilterADObject | gm \u2013Force\r\n    #ConvertTo-WmiFilter $WMIFilterADObject\r\n  }\r\n\r\n  $ExistingGPO = get-gpo $GPOName -ea &quot;SilentlyContinue&quot;\r\n  If ($ExistingGPO -eq $NULL) {\r\n    write-Verbose &quot;Creating the $GPOName Group Policy Object...&quot;\r\n\r\n    If ($WhatIfPreference -eq $False) {\r\n      $GPO = New-GPO -Name $GPOName\r\n\r\n      write-verbose &quot;Disabling User Settings&quot;\r\n      $GPO.GpoStatus = &quot;UserSettingsDisabled&quot;\r\n    }\r\n\r\n    If ($WMIFilter -ne &quot;none&quot;) {\r\n      If ($WhatIfPreference -eq $False) {\r\n        Write-Verbose &quot;Adding the WMI Filter&quot;\r\n        $GPO.WmiFilter = ConvertTo-WmiFilter $WMIFilterADObject\r\n      }\r\n    }\r\n\r\n    If ($WhatIfPreference -eq $False) {\r\n      write-verbose &quot;Setting the registry keys in the Preferences section of the new GPO&quot;\r\n\r\n      Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n        -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Config&quot; `\r\n        -Type DWord -ValueName &quot;AnnounceFlags&quot; -Value $AnnounceFlags | out-null\r\n      Write-Verbose &quot;Set AnnounceFlags to a value of $AnnounceFlags&quot;\r\n\r\n      If ($MaxPosPhaseCorrection -ne &quot;default&quot;) {\r\n        Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n          -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Config&quot; `\r\n          -Type DWord -ValueName &quot;MaxPosPhaseCorrection&quot; -Value $MaxPosPhaseCorrection | out-null\r\n        Write-Verbose &quot;Set MaxPosPhaseCorrection to a value of $MaxPosPhaseCorrection&quot;\r\n      }\r\n\r\n      If ($MaxNegPhaseCorrection -ne &quot;default&quot;) {\r\n        Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n          -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Config&quot; `\r\n          -Type DWord -ValueName &quot;MaxNegPhaseCorrection&quot; -Value $MaxNegPhaseCorrection | out-null\r\n        Write-Verbose &quot;Set MaxNegPhaseCorrection to a value of $MaxNegPhaseCorrection&quot;\r\n      }\r\n\r\n      If ($SpecialPollInterval -ne &quot;default&quot;) {\r\n        Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n          -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpClient&quot; `\r\n          -Type DWord -ValueName &quot;SpecialPollInterval&quot; -Value $SpecialPollInterval | out-null\r\n        Write-Verbose &quot;Set SpecialPollInterval to a value of $SpecialPollInterval&quot;\r\n      }\r\n\r\n      Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n        -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters&quot; `\r\n        -Type String -ValueName &quot;NtpServer&quot; -Value &quot;$NtpServer&quot; | out-null\r\n      Write-Verbose &quot;Set NtpServer to a value of $NtpServer&quot;\r\n \r\n      Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n        -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters&quot; `\r\n        -Type String -ValueName &quot;Type&quot; -Value &quot;$Type&quot; | out-null\r\n      Write-Verbose &quot;Set Type to a value of $Type&quot;\r\n\r\n      If ($DisableVirtualHostTimeSynchronization) {\r\n        # Disable the Hyper-V\/ESX time synchronization integration service.\r\n        Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `\r\n          -Key &quot;HKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\VMICTimeProvider&quot; `\r\n          -Type DWord -ValueName &quot;Enabled&quot; -Value 0 -Disable | out-null\r\n        Write-Verbose &quot;Disabled the VMICTimeProvider&quot;\r\n      }\r\n\r\n      # Link the new GPO to the specified OU\r\n      write-Verbose &quot;Linking the $GPOName Group Policy Object to the $TargetOU OU...&quot;\r\n      New-GPLink -Name $GPOName -Target &quot;$TargetOU&quot; | out-null\r\n    }\r\n  } Else {\r\n    write-Warning &quot;The $GPOName Group Policy Object already exists.&quot;\r\n    If ($WMIFilter -ne &quot;none&quot;) {\r\n      write-Verbose &quot;Adding the $msWMIName WMI Filter...&quot;\r\n      If ($WhatIfPreference -eq $False) {\r\n        $ExistingGPO.WmiFilter = ConvertTo-WmiFilter $WMIFilterADObject\r\n      }\r\n      write-Verbose &quot;Linking the $GPOName Group Policy Object to the $TargetOU OU...&quot;\r\n      If ($WhatIfPreference -eq $False) {\r\n        Try {\r\n          New-GPLink -Name $GPOName -Target &quot;$TargetOU&quot; -errorAction Stop | out-null\r\n        }\r\n        Catch {\r\n          write-verbose &quot;The GPO is already linked&quot;\r\n        }\r\n      }\r\n    }\r\n  }\r\n  write-Verbose &quot;Completed.&quot;\r\n  $ObjectExists = $NULL\r\n}\r\n\r\n#-------------------------------------------------------------\r\n\r\nIf ($IsForestRoot) {\r\n  $PDCeType = &quot;NTP&quot;\r\n} Else {\r\n  $PDCeType = &quot;AllSync&quot;\r\n}\r\n\r\n$TargetDCOU = &quot;OU=Domain Controllers,&quot; + $DomainDistinguishedName\r\n\r\n# Syntax:\r\n# Create-Policy &amp;lt;GPOName&amp;gt; &amp;lt;TargetOU&amp;gt; &amp;lt;NtpServer&amp;gt; &amp;lt;AnnounceFlags&amp;gt; &amp;lt;Type&amp;gt; &amp;lt;MaxPosPhaseCorrection&amp;gt; &amp;lt;MaxNegPhaseCorrection&amp;gt; &amp;lt;SpecialPollInterval&amp;gt; &amp;lt;WMIFilter&amp;gt;\r\n\r\nWrite-Verbose &quot;Creating the WMI Filters and Policies...&quot;\r\n\r\nCreate-Policy &quot;$PDCeGPOName&quot; &quot;$TargetDCOU&quot; &quot;$TimeServers&quot; 5 $PDCeType 172800 172800 3600 $PDCeWMIFilter\r\nCreate-Policy &quot;$NonPDCeGPOName&quot; &quot;$TargetDCOU&quot; &quot;time.windows.com,0x9&quot; 10 &quot;NT5DS&quot; 172800 172800 &quot;default&quot; $NonPDCeWMIFilter\r\nCreate-Policy &quot;$DomainMembersGPOName&quot; &quot;$DomainDistinguishedName&quot; &quot;time.windows.com,0x9&quot; 10 &quot;NT5DS&quot; 172800 172800 &quot;default&quot; &quot;none&quot;\r\n<\/pre>\n<p>References:<\/p>\n<ul>\n<li>Industry Blog: <a href=\"http:\/\/carlwebster.com\/creating-a-group-policy-using-microsoft-powershell-to-configure-the-authoritative-time-server\/\" target=\"_blank\">Creating a Group Policy using Microsoft PowerShell to Configure the Authoritative Time Server<\/a><\/li>\n<li>Microsoft TechNet Blog: <a href=\"http:\/\/blogs.technet.com\/b\/askds\/archive\/2008\/11\/13\/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx\" target=\"_blank\">Configuring an Authoritative Time Server with Group Policy Using WMI Filtering<\/a><\/li>\n<li>Industry Blog: <a href=\"http:\/\/jorgequestforknowledge.wordpress.com\/2010\/09\/26\/configuring-and-managing-the-windows-time-service-part-1\/\" target=\"_blank\">Configuring And Managing The Windows Time Service (Part 1)<\/a><\/li>\n<li>Industry Blog: <a href=\"http:\/\/jorgequestforknowledge.wordpress.com\/2010\/09\/26\/configuring-and-managing-the-windows-time-service-part-2\/\" target=\"_blank\">Configuring And Managing The Windows Time Service (Part 2)<\/a><\/li>\n<li>Industry Blog: <a href=\"http:\/\/jorgequestforknowledge.wordpress.com\/2010\/09\/26\/configuring-and-managing-the-windows-time-service-part-3\/\" target=\"_blank\">Configuring And Managing The Windows Time Service (Part 3)<\/a><\/li>\n<li>Industry Blog: <a href=\"http:\/\/jorgequestforknowledge.wordpress.com\/2010\/09\/26\/configuring-and-managing-the-windows-time-service-part-4\/\" target=\"_blank\">Configuring And Managing The Windows Time Service (Part 4)<\/a><\/li>\n<li>Microsoft TechNet:&nbsp;<a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc773263(v=ws.10).aspx\" target=\"_blank\">Windows Time Service Tools and Settings<\/a><\/li>\n<li>Microsoft MSDN Blog:&nbsp;<a href=\"http:\/\/blogs.msdn.com\/b\/w32time\/archive\/2009\/02\/02\/group-policy-settings-explained.aspx\" target=\"_blank\">Group Policy Settings Explained<\/a><\/li>\n<li>Microsoft TechNet Script Center: <a href=\"http:\/\/gallery.technet.microsoft.com\/scriptcenter\/Group-Policy-WMI-filter-38a188f3\" target=\"_blank\">Group Policy WMI filter cmdlet module<\/a><\/li>\n<li>Industry Blog: <a href=\"http:\/\/jorgequestforknowledge.wordpress.com\/2013\/11\/17\/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations-again\/\" target=\"_blank\">Time Sync Recommendations For Virtual DCs On Hyper-V \u2013 Change In Recommendations (AGAIN)<\/a><\/li>\n<li>Microsoft MSDN Blog: <a href=\"http:\/\/blogs.msdn.com\/b\/virtual_pc_guy\/archive\/2010\/11\/19\/time-synchronization-in-hyper-v.aspx\" target=\"_blank\">Time Synchronization in Hyper-V<\/a><\/li>\n<li>Industry Blog: <a href=\"http:\/\/kevingreeneitblog.blogspot.com.au\/2011\/01\/hyper-v-time-synchronization-on-windows.html\" target=\"_blank\">Hyper V Time Synchronization on a Windows Based Network<\/a><\/li>\n<li>Industry Blog:&nbsp;<a href=\"https:\/\/dimitri.janczak.net\/2017\/02\/07\/ntpclient-error-0x800706e1\/\" target=\"_blank\">NtpClient Error 0x800706E1<\/a><\/li>\n<\/ul>\n<p>Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This PowerShell script will create the Time Server GPOs and WMI Filters for the Domain Controllers&nbsp;to ensure your time server hierarchy remains correct for transfer and seizure of the PDC emulator&nbsp;FSMO role holder. However, before I talk about the script it&#8217;s important to provide some background information on the required settings for the Windows Time &#8230; <a title=\"Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy\" class=\"read-more\" href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2014\/01\/10\/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153\" aria-label=\"Read more about Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[202,5],"tags":[300,208,214,305,306,304,298,309,308,299,301,303,302,307],"class_list":["post-1153","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-scripting","tag-announceflags","tag-domain-controller","tag-gpo","tag-hierarchy","tag-hyper-v","tag-microsoft-grouppolicy-wmifilter","tag-ntpserver","tag-pdc-emulator","tag-pdce","tag-type","tag-w32time","tag-w32tm","tag-w32tm-exe","tag-wmifilter"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/comments?post=1153"}],"version-history":[{"count":5,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1153\/revisions"}],"predecessor-version":[{"id":1813,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1153\/revisions\/1813"}],"wp:attachment":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/media?parent=1153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/categories?post=1153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/tags?post=1153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}