Configure Time souce

I have windows domain, is it possible to force all client computers to use a designated time source? I have a PDC obtaining clock from an outside source.
If I type the command net time on various client computers I get different results, other clients providing clock not the PDC.
If I add the /domain to net time it will display the PDC. What I would like to achieve is...if any client executes the net time command I would like it to display the PDC's hostname

Thanks Paul
Paul MartinezSystems Administrator Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ben Personick (Previously QCubed)Lead Network EngineerCommented:
It just so happens I have old scratch notes form the last time I fixed this in a domain, I'll try to sum them us quickly below:

net time - local time and possible NTP time source should be returned.
net time /DOMAIN:domainname - check the time on the domain.
net time /querysntp - returns your Network Time Server, if any is configured (should be if you are in a domain env.).

Open in new window


The commands I used were quick and dirty so I could just dump them into an administrative command prompt on each system after RDPing to that system.

So these could be made nicer by quite a bit, but they get the job done.

This was to set External time on the PDC:


net time&net time /DOMAIN:%UserDNSDomain%&w32tm.exe /query /status&ECHO.&ECHO.*--*&ECHO.&w32tm /config /manualpeerlist:time.nist.gov /syncfromflags:manual /reliable:yes /update&SC STOP W32Time&SC queryex W32Time&SC START W32Time&ECHO.&ECHO.*--*&ECHO.&net time&net time /DOMAIN:%UserDNSDomain%&w32tm.exe /query /status

Open in new window



This was to set up the client systems to fix their time to use the domain time.

net time&net time /DOMAIN:%UserDNSDomain%&w32tm.exe /query /status&ECHO.&ECHO.*--*&ECHO.&w32tm /config /syncfromflags:domhier /update&SC STOP W32Time&SC queryex W32Time&SC START W32Time&ECHO.&ECHO.*--*&ECHO.&net time&net time /DOMAIN:%UserDNSDomain%&w32tm.exe /query /status

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oBdACommented:
I've said that before and I'll repeat it here: Just forget about the "net time" command altogether. It dates back to NetBIOS. It's so old, it's not even deprecated anymore, it's desiccated and turned to dust. Just ... forget it. Don't use it. Strike it from your memory, never to be used anymore. At all. Bury it under more useful information, may it rest in peace. Don't issue that command, and if you do, ignore what it shows. (Unless you happen to sit at an NT4 machine, which you don't, and probably never will anymore).
Use w32tm.exe instead.
Windows configures the time source automatically, correctly, all by itself, since Windows 2000 (because time synchronization is a vital part of the AD logon). The "Type" value obtained by "w32tm.exe /dumpreg /subkey:Parameters" should be "NT5DS" (which is the default once joined to a domain), and should stay at that on all domain members, except obviously for the DC that syncs with the external source. One exception where the time service would need to be reconfigured are notebooks that don't connect to AD for extended periods of time. These should be set to "/syncfromflags:ALL" with w32tm.exe (will show up as type "AllSync"); this will make the time service search for a DC first, and if none is available, use the ntp server specified.
There is usually no need at all to interfere with the time service on domain members. In short: a domain member will sync with the DC that it authenticated against, and DCs will sync with the PDC Emulator.
0
MaheshArchitectCommented:
run below command on affected clients manually / through GPO and it all should be set as long as PDC is able to receive time correctly from external time source

w32tm /config /syncfromflags:domhier /update

Open in new window


after that run below command on clients for verification

w32tm /query /status
w32tm /query /source
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Ben Personick (Previously QCubed)Lead Network EngineerCommented:
Let me expand upon that because I did have the expanded versions of the commands.

Note that I mentioned Net TIME /QuerySNTP above but I'm not using it in the commands, because it was deprecated in the newer OSs, and the w32tm.exe command is used instead.

If you are using older systems you could replace this with the Net time commands again..

So here is the client portion expanded because it's the part you really need:

Rem ##### Check Local and Domain Time, followed by NTP Client's config
net time
net time /DOMAIN:%UserDNSDomain%

REM ##### Get NTP Client config
w32tm.exe /query /status

REM ##### Echo a division to make the next section clear on the review of the results in the cmd prompt. 
ECHO.
ECHO.*--*
ECHO.

REM ##### Change the Local client NTP service to use Domain Hierarchy.
w32tm /config /syncfromflags:domhier /update

REM ##### Stop the Time service, query it, then start it again.
SC STOP W32Time
SC queryex W32Time
SC START W32Time

REM ##### Echo a division to make the above section clear on the review of the results in the cmd prompt. 
ECHO.
ECHO.*--*
ECHO.

Rem ##### Check Local and Domain Time, followed by NTP Client's config
net time
net time /DOMAIN:%UserDNSDomain%

REM ##### Get NTP Client config
w32tm.exe /query /status

Open in new window


Then here it is again, back as a single line so you can dump into a command prompt to test and do the changes by hand.

net time&net time /DOMAIN:%UserDNSDomain%&w32tm.exe /query /status&ECHO.&ECHO.*--*&ECHO.&w32tm /config /syncfromflags:domhier /update&SC STOP W32Time&SC queryex W32Time&SC START W32Time&ECHO.&ECHO.*--*&ECHO.&net time&net time /DOMAIN:%UserDNSDomain%&w32tm.exe /query /status

Open in new window


You can take the commands out of here that you like and put them in a script and apply it via GPO too if you like.
0
MaheshArchitectCommented:
One more thing:
if you have multiple domain controllers in given AD site / location, it is quiet possible that clients can get time from domain controllers other than PDC server

PDC have final authority and most of the time other DC's will collect time from PDC, however they can receive time from other DCs in same site as long as time difference is within accepted limits
0
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
@Mahesh, DCs should all be in lock-step for time,if they are not it can lead to replication issues.

DCs need to have the same DomHier command I posted above run on them as well.

Only the designated NTP server (The DC holding this role) should be configured differently, and it should be configured to go to proper external sources.
0
oBdACommented:
Ben,
there's no need to restart the time service when using /update; and to restart a service on the fly, sc.exe is not the best tool anyway - it sends the Stop signal to the service and then returns immediately, no matter how the service reacts. If the service needs some time to stop, the "sc.exe start" may be sent before it's fully stopped. "net.exe stop W32Time" is better in most cases.
To resync the time, a /resync /rediscover will do instead of the service restart.
So this will be enough:
w32tm.exe /config /syncfromflags:domhier /update
w32tm.exe /resync /rediscover

Open in new window

But again, this shouldn't be necessary at all. Windows does that as soon as it joins a domain.
Or you can force it with a group policy (but don't forget the notebooks I mentioned above, which might require the AllSync).
One of the many descriptions:
Time Synchronization in Active Directory Forests
https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
0
MaheshArchitectCommented:
PDC have top most authority, however all domain controllers are advertising itself as time source within hierarchy, they can service if request come for time, the link below post diagrams and source determination logics
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works
Domhier command needs to be run on other DCs if your PDC role holder server changes so that they get notified about change quickly
OR
if DC have any issues syncing time
0
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
@Mahesh

if DC have any issues syncing time

Which was the scenario you suggested above and I replied to.

If you are seeing that your DCs are not lock-step in time-sync, you need to re-run the domain hierarchy command, then all DCs will update themselves from the PDC, and no matter which response to your client machine it will be the same time.

Does that clear it up for you?


@ODBA

  I did preface this noting I was posting the quick and dirty set of commands I wrote to do the needful that came to be as we had a domain time issue..IE you could pretty them up and make a nicer script, these just get done what needs doing.

As for needing to restart the Time service versus using
w32tm.exe /resync /rediscover

Open in new window

When using this command my notes show most of the systems we ran it on did not update their time until the time service was restarted. Some were throwing the error "The computer did not resync because no time data was available"some just didn't silently.

I'm well aware of the fact SC completes immediately.  

Normally I write a loop to query the status or occasionally use the slower net stop and net start methods, even though SC is the replacement for them.

 However the NTP client service is not the sort of service that can hang on stopping, it's incredibly lightweight, with no blocker processes, and simply running the SC Query as the next line gives it enough time to ensure it is stopped.

  In the extremely unlikely enough it didn't stop in time, that's why all the output is separated out so you can quickly peruse the results once you come back to the CMD prompt after pasting this into a dozen servers.

  It's a small change and based off 500 systems not necessary, but it can simply be changed to
NET STOP "" && NET START ""

Open in new window

0
MaheshArchitectCommented:
@Ben:
yeah! that's correct
1
Paul MartinezSystems Administrator Author Commented:
To all,
I just want to say thanks, I am new to the experts exchange and impressed. The fast response and technical advise is what I have been lacking for 30 years.  I hope to become an assist to the community. After reviewing the comments I attempted to apply some of the commands and discovered on my client machine the w32tm service is not running. The service is set to automatic but does not start. The error states it can not be found. Some commands worked like the reg dump (makes sense) however service is not running. I am not sure of any recent changes except windows updates. The comments about net time being old helped to keep the director informed.

Is there any reason the w32tm service could get corrupt or missing?
Paul
1
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
Hi Paul!

  Glad we can be of help and that it's been received so well. :)

  There are basically only three options for how this service could be corrupted.

A) Hardware issues with System Disk (Most Likely)

B) Malicious or accidental Deletion (Highly unlikely as there are caches of the file and it would be really tough to do)

C) A Virus corrupted the File and your AV quarantined it at some point.
0
oBdACommented:
Try to reset the time service; ignore errors from the first two commands::
net.exe stop W32Time
w32tm.exe /unregister
w32tm.exe /register
net.exe start W32Time

Open in new window

0
Paul MartinezSystems Administrator Author Commented:
After executing the various commands posted. I got the desired results.
The client is getting clock from the PDC

Thanks to everyone.
1
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
Glad to help :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.