Prior consultants put the "net time" command into a login script.
net time \\servername / set /y (the server name is the correct one)
I get an eror when the script runs that the option is unavailable. The
Syntax looks wrong in the script.
Before I spend any time to fix this, does this need to be in the Login Script?
In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com,
Marc S <MarcS@discussions.microsoft.com> typed:
> Prior consultants put the "net time" command into a login script.
>
> net time \\servername / set /y (the server name is the correct one)
>
> I get an eror when the script runs that the option is unavailable.
> The Syntax looks wrong in the script.
>
> Before I spend any time to fix this, does this need to be in the
> Login Script?
Nope. Not needed. All domain members will get their time sync from the DC
that holds the PDC Emulator Role by default. Nothing else to configure on
the client or other servers. However you would want to do a one shot time
config on the DC that holds the PDC Emulator role. This was designed this
way to insure time is properly set across the domain because AD uses
Kerberos for authentication, which uses a time stamp in the authentication
stream as a 'salt' to insure the authentication traffic is not replayed.
Kerberos only allows a 5 minute skew otherwise authentication will fail,
people can't logon, Exchange fails... the list goes on.
Assuming you are running Windows 2003 (different for 2000):
net stop w32time
net time /setsntp:192.5.41.41
net start w32time
Make sure UDP 123 is allowed access in your firewall from that IP to the DC
holding the PDC Emulator role. That IP is one of the Navy time servers.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
"Ace Fekay [MVP]" wrote:
> In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com,
> Marc S <MarcS@discussions.microsoft.com> typed:
> > Prior consultants put the "net time" command into a login script.
> >
> > net time \\servername / set /y (the server name is the correct one)
> > I get an eror when the script runs that the option is unavailable.
> > The Syntax looks wrong in the script.
> >
> > Before I spend any time to fix this, does this need to be in the
> > Login Script?
>
> Nope. Not needed. All domain members will get their time sync from the DC
> that holds the PDC Emulator Role by default. Nothing else to configure on
> the client or other servers. However you would want to do a one shot time
> config on the DC that holds the PDC Emulator role. This was designed this
> way to insure time is properly set across the domain because AD uses
> Kerberos for authentication, which uses a time stamp in the authentication
> stream as a 'salt' to insure the authentication traffic is not replayed.
> Kerberos only allows a 5 minute skew otherwise authentication will fail,
> people can't logon, Exchange fails... the list goes on.
>
> Assuming you are running Windows 2003 (different for 2000):
>
> net stop w32time
> net time /setsntp:192.5.41.41
> net start w32time
>
> Make sure UDP 123 is allowed access in your firewall from that IP to the DC
> holding the PDC Emulator role. That IP is one of the Navy time servers.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
How can I see if the "one time shot" was already setup on a Domain
Controller, before I run the net time you suggested?
If I have three Domain Controllers, will this be done on all three. Or only
one is the main Time Server?
http://support.microsoft.com/kb/816042
--
NetAdmin <São Paulo, BR>
"Marc S" wrote:
>
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com,
> > Marc S <MarcS@discussions.microsoft.com> typed:
> > > Prior consultants put the "net time" command into a login script.
> > >
> > > net time \\servername / set /y (the server name is the correct one)
> > > I get an eror when the script runs that the option is unavailable.
> > > The Syntax looks wrong in the script.
> > >
> > > Before I spend any time to fix this, does this need to be in the
> > > Login Script?
> >
> > Nope. Not needed. All domain members will get their time sync from the DC
> > that holds the PDC Emulator Role by default. Nothing else to configure on
> > the client or other servers. However you would want to do a one shot time
> > config on the DC that holds the PDC Emulator role. This was designed this
> > way to insure time is properly set across the domain because AD uses
> > Kerberos for authentication, which uses a time stamp in the authentication
> > stream as a 'salt' to insure the authentication traffic is not replayed.
> > Kerberos only allows a 5 minute skew otherwise authentication will fail,
> > people can't logon, Exchange fails... the list goes on.
> >
> > Assuming you are running Windows 2003 (different for 2000):
> >
> > net stop w32time
> > net time /setsntp:192.5.41.41
> > net start w32time
> >
> > Make sure UDP 123 is allowed access in your firewall from that IP to the DC
> > holding the PDC Emulator role. That IP is one of the Navy time servers.
> >
> > --
> > Regards,
> > Ace
> >
> > This posting is provided "AS-IS" with no warranties or guarantees and
> > confers no rights.
> >
> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> > MVP Microsoft MVP - Directory Services
> > Microsoft Certified Trainer
> >
> > Infinite Diversities in Infinite Combinations
>
>
> How can I see if the "one time shot" was already setup on a Domain
> Controller, before I run the net time you suggested?
>
> If I have three Domain Controllers, will this be done on all three. Or only
> one is the main Time Server?
>
>
>
In news:4DDBA95C-EF0F-4EE8-B854-6F89D57711B1@microsoft.com,
Marc S <MarcS@discussions.microsoft.com> typed:
>
> How can I see if the "one time shot" was already setup on a Domain
> Controller, before I run the net time you suggested?
>
> If I have three Domain Controllers, will this be done on all three.
> Or only one is the main Time Server?
You can do it over and over again and again. It won't hurt. It just sets it
to whatever you set it to. Or look in the reg like that article shows.
Ace
"Ace Fekay [MVP]" wrote:
> In news:4DDBA95C-EF0F-4EE8-B854-6F89D57711B1@microsoft.com,
> Marc S <MarcS@discussions.microsoft.com> typed:
>
> >
> > How can I see if the "one time shot" was already setup on a Domain
> > Controller, before I run the net time you suggested?
> >
> > If I have three Domain Controllers, will this be done on all three.
> > Or only one is the main Time Server?
>
> You can do it over and over again and again. It won't hurt. It just sets it
> to whatever you set it to. Or look in the reg like that article shows.
>
> Ace
>
Perfect. Thanks so much.
In news:F7D732D9-FA92-4CA0-AF95-8877757246A9@microsoft.com,
Marc S <MarcS@discussions.microsoft.com> typed:
> Perfect. Thanks so much.
My pleasure.
Posting Permissions
Reply With Quote
Bookmarks