# Current WSUS Policy Settings:
$WSUSSettings = Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU | Select-Object -ExpandProperty AUOptions
switch ($WSUSSettings)
{
2 {"Windows Updates: Notify before download"}
3 {"Windows Updates: Automatically download and notify of installation"}
4 {"Windows Updates: Automatically download and scheduled installation"}
5 {"Windows Updates: Automatic Updates is required, but end users can configure it"}
}
# AD Machine Role:
$DomainRole = (Get-WmiObject Win32_ComputerSystem).DomainRole
switch ($DomainRole)
{
0 {"Stand Alone Workstation" ; $SYNCType = "MANUAL"}
1 {"Member Workstation" ; $SYNCType = "DOMHIER"}
2 {"Standalone Server" ; $SYNCType = "MANUAL"}
3 {"Member Server" ; $SYNCType = "DOMHIER"}
4 {"Backup Domain Controller" ; $SYNCType = "DOMHIER"}
5 {"Primary Domain Controller" ; $SYNCType = "MANUAL"}
The Domain Role portion is part of my other script for setting NTP Time to match best practice for AD. I will be uploading that script to my github in the near future as soon as I make it company agnostic.
vernanderson 
I finally found where Microsoft moved the defending arti cle for this.
https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx
According to best pratices the PDC emulator should never ever be set to DOMHEIR or NT5DS it should be the one responsible for NTP time sync and should be set to “NTP” and the NTP server should be reachable over port 123 UDP. By default NTP servers will nto accept a connection so you have to use UDP port 123.
The Win32TM command line tool has a /monitor parameter you can use to test port 123 connectivity as follows.
w32tm /monitor /computers:time.nist.gov
If that returns an error or does not return a “ICMP: 0ms delay” value then it was not able to connect over port 123 for proper time sync.