Syncing local machines with server time

Posted on 2014-01-10
Medium Priority
Last Modified: 2014-01-17
Hi all,

We are trying to sync all the machines on the network with the time on the server through a logon script however it isn't working.

When testing the command manually through cmd, we get what is shown in the image.

The server time is being set using Atomic Clock Sync.
Question by:cbapartnership
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39770624
As long as you've joined the machines to the domain and have not customized the default settings in the OS (by group policy or other) time syncing is automatic. Client OSes joined to a domain use the windows time service and regularly sync to a domain controller. This happens even when users are not logged in, so a logon script is rather superfluous.
LVL 20

Expert Comment

ID: 39770626
The user must be granted the permission to change system's time.

Author Comment

ID: 39770647
Thanks for your quick responses.

I agree, the client OSes should be automatic but they are out of time by a couple of minutes so something is not working. So to get around this, I want to use Atomic Clock Sync. I used to use it on a previous Windows SBS 2003 server and I didnt have any problems. I suspect that our new SBS 2011 server may have more tighter access rights security.

We use a logon script to map drives and it made sense to just put the "Net Time" command in there as well.

Can you tell me if I need to change the user permission to change the time on all the PC's or can I do it just from the server?
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

LVL 20

Assisted Solution

strivoli earned 450 total points
ID: 39770653
You must grant "Change the system time" permission to the user on all PCs. Do that on one PC and see what happens. After you've seen it's what you want, you can do the change using GPO which will affect all PCs.
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 450 total points
ID: 39770654
If the windows time service is not syncing clients then net time will fail as well. They both use the same underlying architecture. You need to troubleshoot the cause of the sync failing. Not the symptom. Or you'll fond you have the same problem because the root cause is still there.

Using an atomic click app on the server to which the clients sync is fine. I personally think it is unnecessary, but it is still fine. The problem is the client syncing mechanism. And again, unless you are installing atomic sync on all the clients, net time uses the same communications and protocols as the windows time service, so your efforts to script it are reinventing the wheel. A wheel that, in your case, is broken and that you are trying to replace with another broken wheel.

Accepted Solution

Red-King earned 600 total points
ID: 39770764
As the others have mentioned it is best to configure your domain controller to sync it's time from an external source and then get your desktops syncing against that.
Trying to set all desktops to sync from an external source will use up bandwidth on your WAN link and you'll probably still have a number of PCs that are reporting an inaccurate time as they cannot connect to the the external source for some reason.

You need to determine where your PCs are currently getting their time.
You mentioned you're using an SBS 2011 server which is essentially a Windows 2008 R2 server.

Here's some commands you can run from a command line on a desktop PC that will help you find any errors.
(Run the command prompt as an administrator for some of these to work)

Firstly find your Primary Domain Controller (PDC). This should be your SBS 2011 server;
netdom /query fsmo

Open in new window

You'll get some output like this;
Schema master               SVR004.domain.local
Domain naming master        SVR004.domain.local
PDC                         SVR004.domain.local
RID pool manager            SVR004.domain.local
Infrastructure master       SVR004.domain.local
The command completed successfully.

Open in new window

Next find where the desktop is getting it's time from (I'm running this on Windows 8.1 but you should get much the same results);
w32tm /query /status

Open in new window

This should give you some output like this;
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0937500s
Root Dispersion: 0.3542354s
ReferenceId: 0x0A010A03 (source IP:
Last Successful Sync Time: 10/01/2014 11:36:22
Source: svr016.domain.local
Poll Interval: 11 (2048s)

Open in new window

Note the "Last Successful Sync Time" and the "Source".
In my results you'll see that my Desktop's Source is different to the server listed as a PDC. If I log into svr016.domain.local and run the status command again I get the following;
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0625000s
Root Dispersion: 0.3052694s
ReferenceId: 0x0A010A01 (source IP:
Last Successful Sync Time: 10/01/2014 11:46:09
Source: SVR004.domain.local
Poll Interval: 10 (1024s)

Open in new window

So you can see that my desktop sync's to svr016.domain.local (which is a DC) and this server in turn sync's to svr004.domain.local (the PDC).
Lastly, if I run the same query on the svr004.domain.local you'll see it's syncing to the external time source;
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0312500s
Root Dispersion: 0.1253321s
ReferenceId: 0xC101DB74 (source IP:
Last Successful Sync Time: 10/01/2014 12:00:10
Source: 1.ie.pool.ntp.org,0x1
Poll Interval: 10 (1024s)

Open in new window

To build up a report of the status of each desktop you can add the following to your logon script;
w32tm /query /status > \\fileserver.domain.local\public\%computername%_w32tm-status.txt

Open in new window

If you've point the fileserver path to a folder where everybody has write permissions then you will get a bunch of files listed by the computer names (dktp001_w32tm-status.txt etc.)

So once you've determined that your Desktops are syncing against your domain controller correctly you can then go ahead and configure the external time source on your PDC.
To do that you can use this series of commands;
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
w32tm /query /status

Open in new window

Hopefully that will get you most of the way there to having accurate time throughout all your desktops.


Edit: Had the FSMO role results in the wrong place

Author Closing Comment

ID: 39787961
When I originally ran the NET TIME command from a cmd window, I got the access rights privilege error. I now realise why this happened - I didn't run cmd as an administrator. As soon as I did, it worked. The next day I checked several client PC's and they have the exact time as the server so all is working now.

Many thanks for all your advice.

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question