• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Syncing local machines with server time

Hi all,

We are trying to sync all the machines on the network with the time on the server through a logon script however it isn't working.

When testing the command manually through cmd, we get what is shown in the image.

The server time is being set using Atomic Clock Sync.
cmd.png
0
cbapartnership
Asked:
cbapartnership
  • 2
  • 2
  • 2
  • +1
3 Solutions
 
Cliff GaliherCommented:
As long as you've joined the machines to the domain and have not customized the default settings in the OS (by group policy or other) time syncing is automatic. Client OSes joined to a domain use the windows time service and regularly sync to a domain controller. This happens even when users are not logged in, so a logon script is rather superfluous.
0
 
strivoliCommented:
The user must be granted the permission to change system's time.
0
 
cbapartnershipAuthor Commented:
Thanks for your quick responses.

I agree, the client OSes should be automatic but they are out of time by a couple of minutes so something is not working. So to get around this, I want to use Atomic Clock Sync. I used to use it on a previous Windows SBS 2003 server and I didnt have any problems. I suspect that our new SBS 2011 server may have more tighter access rights security.

We use a logon script to map drives and it made sense to just put the "Net Time" command in there as well.

Can you tell me if I need to change the user permission to change the time on all the PC's or can I do it just from the server?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
strivoliCommented:
You must grant "Change the system time" permission to the user on all PCs. Do that on one PC and see what happens. After you've seen it's what you want, you can do the change using GPO which will affect all PCs.
0
 
Cliff GaliherCommented:
If the windows time service is not syncing clients then net time will fail as well. They both use the same underlying architecture. You need to troubleshoot the cause of the sync failing. Not the symptom. Or you'll fond you have the same problem because the root cause is still there.

Using an atomic click app on the server to which the clients sync is fine. I personally think it is unnecessary, but it is still fine. The problem is the client syncing mechanism. And again, unless you are installing atomic sync on all the clients, net time uses the same communications and protocols as the windows time service, so your efforts to script it are reinventing the wheel. A wheel that, in your case, is broken and that you are trying to replace with another broken wheel.
0
 
Red-KingIT ManagerCommented:
As the others have mentioned it is best to configure your domain controller to sync it's time from an external source and then get your desktops syncing against that.
Trying to set all desktops to sync from an external source will use up bandwidth on your WAN link and you'll probably still have a number of PCs that are reporting an inaccurate time as they cannot connect to the the external source for some reason.

You need to determine where your PCs are currently getting their time.
You mentioned you're using an SBS 2011 server which is essentially a Windows 2008 R2 server.

Here's some commands you can run from a command line on a desktop PC that will help you find any errors.
(Run the command prompt as an administrator for some of these to work)

Firstly find your Primary Domain Controller (PDC). This should be your SBS 2011 server;
netdom /query fsmo

Open in new window

You'll get some output like this;
Schema master               SVR004.domain.local
Domain naming master        SVR004.domain.local
PDC                         SVR004.domain.local
RID pool manager            SVR004.domain.local
Infrastructure master       SVR004.domain.local
The command completed successfully.

Open in new window

Next find where the desktop is getting it's time from (I'm running this on Windows 8.1 but you should get much the same results);
w32tm /query /status

Open in new window

This should give you some output like this;
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0937500s
Root Dispersion: 0.3542354s
ReferenceId: 0x0A010A03 (source IP:  10.1.10.3)
Last Successful Sync Time: 10/01/2014 11:36:22
Source: svr016.domain.local
Poll Interval: 11 (2048s)

Open in new window

Note the "Last Successful Sync Time" and the "Source".
In my results you'll see that my Desktop's Source is different to the server listed as a PDC. If I log into svr016.domain.local and run the status command again I get the following;
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0625000s
Root Dispersion: 0.3052694s
ReferenceId: 0x0A010A01 (source IP:  10.1.10.1)
Last Successful Sync Time: 10/01/2014 11:46:09
Source: SVR004.domain.local
Poll Interval: 10 (1024s)

Open in new window

So you can see that my desktop sync's to svr016.domain.local (which is a DC) and this server in turn sync's to svr004.domain.local (the PDC).
Lastly, if I run the same query on the svr004.domain.local you'll see it's syncing to the external time source;
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0312500s
Root Dispersion: 0.1253321s
ReferenceId: 0xC101DB74 (source IP:  193.1.219.116)
Last Successful Sync Time: 10/01/2014 12:00:10
Source: 1.ie.pool.ntp.org,0x1
Poll Interval: 10 (1024s)

Open in new window


To build up a report of the status of each desktop you can add the following to your logon script;
w32tm /query /status > \\fileserver.domain.local\public\%computername%_w32tm-status.txt

Open in new window

If you've point the fileserver path to a folder where everybody has write permissions then you will get a bunch of files listed by the computer names (dktp001_w32tm-status.txt etc.)

So once you've determined that your Desktops are syncing against your domain controller correctly you can then go ahead and configure the external time source on your PDC.
To do that you can use this series of commands;
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
w32tm /query /status

Open in new window


Hopefully that will get you most of the way there to having accurate time throughout all your desktops.

Rory

Edit: Had the FSMO role results in the wrong place
0
 
cbapartnershipAuthor Commented:
When I originally ran the NET TIME command from a cmd window, I got the access rights privilege error. I now realise why this happened - I didn't run cmd as an administrator. As soon as I did, it worked. The next day I checked several client PC's and they have the exact time as the server so all is working now.

Many thanks for all your advice.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now