Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

NET TIME - how do I find where my DC is getting it's time from?

Just while examining some domain time settings, the question came up "where does the DC get it's time from?"

net time /querysntp
shows no sntp servers available

does this mean that we're running in our own little time bubble?

0
Danny Child
Asked:
Danny Child
  • 6
  • 4
1 Solution
 
JamesDSCommented:
DanCh99

If your DC is also the PDCEmulator for your domain then it is getting it from nowhere and the Application event log will be logging W32Time errors occasionally (yellow ones!)

If your DC is NOT the PDCE then it will be getting it's time from the PDCE for your domain.

See my next (rather long) post about diagnosing and fixing timesync issues if you have a problem with it

Cheers

JamesDS
0
 
JamesDSCommented:
DanCh99
Fixing timesync is different according to the machine type...

If it's a Member Server, standard Domain Controller (not a PDCEmulator) or standard workstation then behave as if its a member server (below)
If it's a PDCEmulator then make sure you allow port 123TCP/UDP outbound on your firewall and configure the external microsoft time service by entering this at the command line
NET TIME /SETSNTP:time.windows.com

If it's a workstation, member server or a standard Domain Controller:

Members of the Active Directory sync with their local DC (local as in local AD site). The DCs then sync with the PDCEmulator, so the PDCE is the root of all time - as it were!

Diagnosis of timesync errors is difficult, but do not be tempted to use NET TIME /SETSNTP: on all machines in the domain (as suggested to many questions like this one, unless it's a PDCE), as it specifically overrides the natural internal operation of the time service within Active Directory.

These commands are written for Windows 2003 and Windows XP. There are some equivalents for windows 2000, use W32tm /? or W32Time /? from the command line to look for alternatives on older OSs.

Use NET TIME /SETSNTP:
to clear any entry and return to the default settings

Use NET TIME /SET /YES
to synch NOW with your authenticating DC and begin the diagnosis:

Start by verifying your domain is synching AD by using REPLMON.EXE in the support tools pack on the Windows installation CD.

If this is OK then run this from the command line:
W32TM /monitor

to ensure that each member server/workstation is actually pointing to a DC.

If this is OK then run this from the command line:
W32TM /resync /rediscover

followed by:
W32TM /resync /nowait

and check the system eventlog for W32TIME errors. This process does a full reset and recheck of the time system as it relates to one member machine on your AD.

Post any errors here

Explanation of why it doesn't always instantly set the right time:
Timesync works as follows:

If the local clock time of the time client is behind the current time received from the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is more than three minutes ahead of the time on the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected.

W32Time will periodically check its local time with the current time by connecting to the time source. This process starts as soon as the service turns on during system start-up. W32Time attempts synchronization every 45 minutes until the clocks have successfully synchronized three times. When the clocks are correctly synchronized, W32Time then synchronizes at eight-hour intervals, unless there is a failure to obtain a timestamp, or a validation failure. If there is a failure, the process starts over from the beginning.

Set it by hand (or with the command NET TIME /SET /YES) as close as you can and then simply leave it to sort itself out.


Cheers

JamesDS
0
 
Danny ChildIT ManagerAuthor Commented:
James, thanks for the comprehensive info
yep, the DC is also the PDCE.  Replication seems ok.  

I applied the NET TIME /SETSNTP:time.windows.com command, and that seemed ok, and then to test, I used W32TM -s but this gave the error
RPC to local server returned 0x0

and I also saw event log error:

Event Type:      Warning
Event Source:      w32time
Event Category:      None
Event ID:      54
Date:            06/10/2004
Time:            10:56:26
User:            N/A
Computer:      LGLONA01
Description:
The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.

This is the same error that we've seen earlier on in the logs.  I think the firewall may need opening up as you stated, so that's what I'll do next.  
btw, w32tm /monitor didn't produce any response on my w2k boxes (just showed the available switches) - I guess what we're looking for is the name of the time source that each server is using.  
So, I used w32tm -v on different servers, and once you wade through the dross, it shows that the DC is trying to get to time.microsoft.com, and that other servers are looking to the DC.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
JamesDSCommented:
DanCh99
It sounds ok, but I don't like the look of that event log message. I would have expected it to say "The Windows Time Service was not able to find an accurate Time Source. A time and date update was not possible" if it was the firewall, but I could be wrong there!

Download DUMPFSMOS from here and just confirm that the DC you are working on is the PDCE
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp

The W32tm swithes I provided are mostly for XP and 2003, some of them have equivalents on 2000, but not all.

Cheers

JamesDS
0
 
Danny ChildIT ManagerAuthor Commented:
I've done dumpfsmos, and it's def the PDCE.  
I'm getting a bit of flak from the security folk here about opening up 2 firewalls, so I may do an alternative tack and set it to synch with our proxy server, which is in the dmz, and already synching to an external source.  That way I only have to go thru 1 firewall.
0
 
JamesDSCommented:
DanCh99
Opening up your firewall to allow port 123 outbound only for one server only is hardly a security risk. Tell your security folks to read up on the NTP protocol and see if they can find any exploits!

Syncing to the Proxy server is fine, so long as you have configured it as a time server. DCs are the only things that configure themselves as time servers by default so you will probably need additional software to do it.

Cheers

JamesDS
0
 
Danny ChildIT ManagerAuthor Commented:
yep, you were right, my workaround won't work.  I'll see about this second firewall now.  
just in case it helps anyone else peeking through here, the time settings are all stored here:

http://www.jsiinc.com/SUBE/tip2200/rh2273.htm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

btw, our kix login script runs
settime @lserver
but as AD keeps on top of time synching, I guess this is unnecessary for all 2k clients.
0
 
JamesDSCommented:
DanCh99

yup, you should let the service do it's own timesyncing. Any Windows 2000, 2003, XP machine on the domain will sync automatically.

Cheers

JamesDS
0
 
Danny ChildIT ManagerAuthor Commented:
James, ta for all the info.  Really useful.
0
 
JamesDSCommented:
DanCh99

Welcome, glad to help
Cheers

JamesDS
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now