How do you configure Authoritative Time Service in Group Policy so all the domain members use the domain controller with the PDC FSMO role?
I know by default domain members sync time to the domain controller. However computers can be set later to pull time from an external source and then cause problem. How can this be fixed in Group Policy so that domain members always sync back to the domain controller and that that the domain controller syncs from hardware?
Solution 1:
There is a pretty good article on MSDN Blogs that describes how to configure Windows Time Service using Group Policy.
Group Policy Settings Explained - Windows Time Service (blogs.msdn.com)
Solution 2:
By default, unless you've modified it, all DC's sync to the PDC emulator, and clients will sync to the DC's in the closest site defined to them in sites and services. The PDC emulator should be synced to an upstream time source. I've NEVER had to make a policy change on the client policies.