Friday, May 1, 2009
So, this isn't configured out of the box for your forest. Interesting.
You can set this up via Group Policy or the command-line. Tech-net suggests the command-line. So that's what i did. But, you can break it if you first mucked with the GPO's (like I did). But MS Support saved the day: http://support.microsoft.com/kb/969304
Do this to begin with: http://technet.microsoft.com/en-us/library/cc786897.aspx
For peers: "time.nist.gov" or "time.windows.com". I used NIST's ntp server, don't know why but i did.
Then from your client machines connected to the domain, they should use the PDC as an authoritative source. MS says do this: http://technet.microsoft.com/en-us/library/cc758905.aspx
I did the following on my client:
w32tm /config /syncfromflags:domhier /update
But then called w32tm /resync instead of using the "Net" command to restart the w32tm service. The /update switch on the first command should take care of that. And indeed, my client resynced with the domain controller's time clock. MAGIC!
I'll throw up a PowerShell script tomorrow :) or maybe Sunday...who knows.
FYI - gpupdate /force is a great way to immediately test your Group Policy changes, but is very dangerous if you're silly and do something stupid. So use with caution.