Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Syncing local machines with server time

Posted on 2014-01-10
Medium Priority
Last Modified: 2014-01-17
Hi all,

We are trying to sync all the machines on the network with the time on the server through a logon script however it isn't working.

When testing the command manually through cmd, we get what is shown in the image.

The server time is being set using Atomic Clock Sync.
Question by:cbapartnership
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39770624
As long as you've joined the machines to the domain and have not customized the default settings in the OS (by group policy or other) time syncing is automatic. Client OSes joined to a domain use the windows time service and regularly sync to a domain controller. This happens even when users are not logged in, so a logon script is rather superfluous.
LVL 20

Expert Comment

ID: 39770626
The user must be granted the permission to change system's time.

Author Comment

ID: 39770647
Thanks for your quick responses.

I agree, the client OSes should be automatic but they are out of time by a couple of minutes so something is not working. So to get around this, I want to use Atomic Clock Sync. I used to use it on a previous Windows SBS 2003 server and I didnt have any problems. I suspect that our new SBS 2011 server may have more tighter access rights security.

We use a logon script to map drives and it made sense to just put the "Net Time" command in there as well.

Can you tell me if I need to change the user permission to change the time on all the PC's or can I do it just from the server?
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

LVL 20

Assisted Solution

strivoli earned 450 total points
ID: 39770653
You must grant "Change the system time" permission to the user on all PCs. Do that on one PC and see what happens. After you've seen it's what you want, you can do the change using GPO which will affect all PCs.
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 450 total points
ID: 39770654
If the windows time service is not syncing clients then net time will fail as well. They both use the same underlying architecture. You need to troubleshoot the cause of the sync failing. Not the symptom. Or you'll fond you have the same problem because the root cause is still there.

Using an atomic click app on the server to which the clients sync is fine. I personally think it is unnecessary, but it is still fine. The problem is the client syncing mechanism. And again, unless you are installing atomic sync on all the clients, net time uses the same communications and protocols as the windows time service, so your efforts to script it are reinventing the wheel. A wheel that, in your case, is broken and that you are trying to replace with another broken wheel.

Accepted Solution

Red-King earned 600 total points
ID: 39770764
As the others have mentioned it is best to configure your domain controller to sync it's time from an external source and then get your desktops syncing against that.
Trying to set all desktops to sync from an external source will use up bandwidth on your WAN link and you'll probably still have a number of PCs that are reporting an inaccurate time as they cannot connect to the the external source for some reason.

You need to determine where your PCs are currently getting their time.
You mentioned you're using an SBS 2011 server which is essentially a Windows 2008 R2 server.

Here's some commands you can run from a command line on a desktop PC that will help you find any errors.
(Run the command prompt as an administrator for some of these to work)

Firstly find your Primary Domain Controller (PDC). This should be your SBS 2011 server;
netdom /query fsmo

Open in new window

You'll get some output like this;
Schema master               SVR004.domain.local
Domain naming master        SVR004.domain.local
PDC                         SVR004.domain.local
RID pool manager            SVR004.domain.local
Infrastructure master       SVR004.domain.local
The command completed successfully.

Open in new window

Next find where the desktop is getting it's time from (I'm running this on Windows 8.1 but you should get much the same results);
w32tm /query /status

Open in new window

This should give you some output like this;
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0937500s
Root Dispersion: 0.3542354s
ReferenceId: 0x0A010A03 (source IP:
Last Successful Sync Time: 10/01/2014 11:36:22
Source: svr016.domain.local
Poll Interval: 11 (2048s)

Open in new window

Note the "Last Successful Sync Time" and the "Source".
In my results you'll see that my Desktop's Source is different to the server listed as a PDC. If I log into svr016.domain.local and run the status command again I get the following;
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0625000s
Root Dispersion: 0.3052694s
ReferenceId: 0x0A010A01 (source IP:
Last Successful Sync Time: 10/01/2014 11:46:09
Source: SVR004.domain.local
Poll Interval: 10 (1024s)

Open in new window

So you can see that my desktop sync's to svr016.domain.local (which is a DC) and this server in turn sync's to svr004.domain.local (the PDC).
Lastly, if I run the same query on the svr004.domain.local you'll see it's syncing to the external time source;
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0312500s
Root Dispersion: 0.1253321s
ReferenceId: 0xC101DB74 (source IP:
Last Successful Sync Time: 10/01/2014 12:00:10
Source: 1.ie.pool.ntp.org,0x1
Poll Interval: 10 (1024s)

Open in new window

To build up a report of the status of each desktop you can add the following to your logon script;
w32tm /query /status > \\fileserver.domain.local\public\%computername%_w32tm-status.txt

Open in new window

If you've point the fileserver path to a folder where everybody has write permissions then you will get a bunch of files listed by the computer names (dktp001_w32tm-status.txt etc.)

So once you've determined that your Desktops are syncing against your domain controller correctly you can then go ahead and configure the external time source on your PDC.
To do that you can use this series of commands;
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
w32tm /query /status

Open in new window

Hopefully that will get you most of the way there to having accurate time throughout all your desktops.


Edit: Had the FSMO role results in the wrong place

Author Closing Comment

ID: 39787961
When I originally ran the NET TIME command from a cmd window, I got the access rights privilege error. I now realise why this happened - I didn't run cmd as an administrator. As soon as I did, it worked. The next day I checked several client PC's and they have the exact time as the server so all is working now.

Many thanks for all your advice.

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question