Syncing local machines with server time

Posted on 2014-01-10
Last Modified: 2014-01-17
Hi all,

We are trying to sync all the machines on the network with the time on the server through a logon script however it isn't working.

When testing the command manually through cmd, we get what is shown in the image.

The server time is being set using Atomic Clock Sync.
Question by:cbapartnership
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39770624
As long as you've joined the machines to the domain and have not customized the default settings in the OS (by group policy or other) time syncing is automatic. Client OSes joined to a domain use the windows time service and regularly sync to a domain controller. This happens even when users are not logged in, so a logon script is rather superfluous.
LVL 19

Expert Comment

ID: 39770626
The user must be granted the permission to change system's time.

Author Comment

ID: 39770647
Thanks for your quick responses.

I agree, the client OSes should be automatic but they are out of time by a couple of minutes so something is not working. So to get around this, I want to use Atomic Clock Sync. I used to use it on a previous Windows SBS 2003 server and I didnt have any problems. I suspect that our new SBS 2011 server may have more tighter access rights security.

We use a logon script to map drives and it made sense to just put the "Net Time" command in there as well.

Can you tell me if I need to change the user permission to change the time on all the PC's or can I do it just from the server?
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 19

Assisted Solution

strivoli earned 150 total points
ID: 39770653
You must grant "Change the system time" permission to the user on all PCs. Do that on one PC and see what happens. After you've seen it's what you want, you can do the change using GPO which will affect all PCs.
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 150 total points
ID: 39770654
If the windows time service is not syncing clients then net time will fail as well. They both use the same underlying architecture. You need to troubleshoot the cause of the sync failing. Not the symptom. Or you'll fond you have the same problem because the root cause is still there.

Using an atomic click app on the server to which the clients sync is fine. I personally think it is unnecessary, but it is still fine. The problem is the client syncing mechanism. And again, unless you are installing atomic sync on all the clients, net time uses the same communications and protocols as the windows time service, so your efforts to script it are reinventing the wheel. A wheel that, in your case, is broken and that you are trying to replace with another broken wheel.

Accepted Solution

Red-King earned 200 total points
ID: 39770764
As the others have mentioned it is best to configure your domain controller to sync it's time from an external source and then get your desktops syncing against that.
Trying to set all desktops to sync from an external source will use up bandwidth on your WAN link and you'll probably still have a number of PCs that are reporting an inaccurate time as they cannot connect to the the external source for some reason.

You need to determine where your PCs are currently getting their time.
You mentioned you're using an SBS 2011 server which is essentially a Windows 2008 R2 server.

Here's some commands you can run from a command line on a desktop PC that will help you find any errors.
(Run the command prompt as an administrator for some of these to work)

Firstly find your Primary Domain Controller (PDC). This should be your SBS 2011 server;
netdom /query fsmo

Open in new window

You'll get some output like this;
Schema master               SVR004.domain.local
Domain naming master        SVR004.domain.local
PDC                         SVR004.domain.local
RID pool manager            SVR004.domain.local
Infrastructure master       SVR004.domain.local
The command completed successfully.

Open in new window

Next find where the desktop is getting it's time from (I'm running this on Windows 8.1 but you should get much the same results);
w32tm /query /status

Open in new window

This should give you some output like this;
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0937500s
Root Dispersion: 0.3542354s
ReferenceId: 0x0A010A03 (source IP:
Last Successful Sync Time: 10/01/2014 11:36:22
Source: svr016.domain.local
Poll Interval: 11 (2048s)

Open in new window

Note the "Last Successful Sync Time" and the "Source".
In my results you'll see that my Desktop's Source is different to the server listed as a PDC. If I log into svr016.domain.local and run the status command again I get the following;
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0625000s
Root Dispersion: 0.3052694s
ReferenceId: 0x0A010A01 (source IP:
Last Successful Sync Time: 10/01/2014 11:46:09
Source: SVR004.domain.local
Poll Interval: 10 (1024s)

Open in new window

So you can see that my desktop sync's to svr016.domain.local (which is a DC) and this server in turn sync's to svr004.domain.local (the PDC).
Lastly, if I run the same query on the svr004.domain.local you'll see it's syncing to the external time source;
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0312500s
Root Dispersion: 0.1253321s
ReferenceId: 0xC101DB74 (source IP:
Last Successful Sync Time: 10/01/2014 12:00:10
Poll Interval: 10 (1024s)

Open in new window

To build up a report of the status of each desktop you can add the following to your logon script;
w32tm /query /status > \\fileserver.domain.local\public\%computername%_w32tm-status.txt

Open in new window

If you've point the fileserver path to a folder where everybody has write permissions then you will get a bunch of files listed by the computer names (dktp001_w32tm-status.txt etc.)

So once you've determined that your Desktops are syncing against your domain controller correctly you can then go ahead and configure the external time source on your PDC.
To do that you can use this series of commands;
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”,,”
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
w32tm /query /status

Open in new window

Hopefully that will get you most of the way there to having accurate time throughout all your desktops.


Edit: Had the FSMO role results in the wrong place

Author Closing Comment

ID: 39787961
When I originally ran the NET TIME command from a cmd window, I got the access rights privilege error. I now realise why this happened - I didn't run cmd as an administrator. As soon as I did, it worked. The next day I checked several client PC's and they have the exact time as the server so all is working now.

Many thanks for all your advice.

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question