+ Post New Thread
Results 1 to 12 of 12
Windows Server 2008 R2 Thread, Domain time settings in Technical; Hi!! Can any one help please with the clock settings on Win 2008 R2? The server is told via scripts ...
  1. #1

    Join Date
    Jul 2011
    Location
    Leicester
    Posts
    73
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    7

    Domain time settings

    Hi!!

    Can any one help please with the clock settings on Win 2008 R2?

    The server is told via scripts to sert the time on client machines.

    The client machines and the server are about 4 mins fast and this is causing problems for the staff.

    i have changed the time over and over again by running OOBE in the run command prompt.

    I then log off the server and log back on....remains fine....I then logon via my client machine...and to begin with it report the correct time....

    However, the server goes back to be 4 mins fast and then after the next reboot my client also reverts back to being 4 mins fast.

    Even tried gpupdate /force with no avail.

    Any one got any ideas where Im going wrong? i think im on the right track, but not quite there.

    Many thanks in advance,

    Cookie

  2. #2
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    795
    Thank Post
    84
    Thanked 172 Times in 141 Posts
    Rep Power
    64
    Does your 2008 server sync with a time server? It sounds to me like that server is four minutes fast (or your watch is four minutes slow!).

    You can set the NTP server your 2008 server syncs with using the following commands...

    Net stop w32time
    W32tm /config /syncfromflags:manual /manualpeerlist:"x.x.x.x y.y.y.y"
    W32tm /config /reliable:yes
    Net start w32time
    W32tm /config /update
    W32tm /resync

  3. #3

    Join Date
    Jul 2011
    Location
    Leicester
    Posts
    73
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    7
    i have searched in vain to see where it may sync from..... any ideas where to look?

    I have changed the time several times in the 'date and time' window but it does stay nor does it filter down to the clients....

    is there a GUI i can use to do the above?

    if not what do x.x.x.x y.y.y.y represent?

    thanks again

  4. #4

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,905
    Thank Post
    1,186
    Thanked 1,057 Times in 749 Posts
    Rep Power
    328
    @cookie_monsta:

    Do you have a Smoothwall box?

    We do and this is synced with uk.pool.ntp.org which in turn syncs with our DC and then the clients sync from DC.

    We did used to use this app: AtomicClock on our DC

    Hope you get sorted

  5. #5
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    Quote Originally Posted by cookie_monsta View Post
    i have searched in vain to see where it may sync from..... any ideas where to look?
    I had to contact our LEA as they'd blocked most NTP time servers for security reasons. Pinf them an email and they should be able to sort you out.

    Command I used:
    • w32tm /config /manualpeerlist:<targetservername or address> /syncfromflags:manual /reliable:yes /update


    To test communications with a target server:
    • w32tm /stripchart /computer:<target name or address> /samples:5 /dataonly

  6. #6

    Join Date
    Jul 2011
    Location
    Leicester
    Posts
    73
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    7
    Quote Originally Posted by DAZZD88 View Post
    I had to contact our LEA as they'd blocked most NTP time servers for security reasons. Pinf them an email and they should be able to sort you out.

    Command I used:
    • w32tm /config /manualpeerlist:<targetservername or address> /syncfromflags:manual /reliable:yes /update


    To test communications with a target server:
    • w32tm /stripchart /computer:<target name or address> /samples:5 /dataonly
    hi Dazz..

    I know our domain is now part of our LA forest....so whether its getting the time etc from there im not sure...

    I know our WSUS updates are obtained fromthe LA WSUS server...

    I was under the assumption i could set it (and make it stick) on our DC for to filter down to the clients......

    thanks

    @bossman.... not even sure what a smoothbox is or if we have one lol

    I looked at the link youu provided....is it compatible with 2008 R2 x64?

    cheers

  7. #7
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    Quote Originally Posted by cookie_monsta View Post
    I was under the assumption i could set it (and make it stick) on our DC for to filter down to the clients......
    If you issue the reliable switch then yes, this is/should be true. It's working here.

  8. #8

    Join Date
    Jul 2011
    Location
    Leicester
    Posts
    73
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    7
    Quote Originally Posted by DAZZD88 View Post
    If you issue the reliable switch then yes, this is/should be true. It's working here.
    should I set the time i want in the date and time window before running the command given at command prompt?

  9. #9


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,583
    Thank Post
    228
    Thanked 855 Times in 734 Posts
    Rep Power
    295
    if you are in a forrest then wont all the clocks throughout the subdomain have to be identical to the "master domain" clock and any attempt to change this will fail (same as changing a workstation clock will work until it decides to check what time the server thinks it is

  10. #10
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    No because as soon as you issue that command then whatever date and time was set beforehand, will be overwritten.

  11. #11

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,905
    Thank Post
    1,186
    Thanked 1,057 Times in 749 Posts
    Rep Power
    328
    Quote Originally Posted by cookie_monsta View Post

    @bossman.... not even sure what a smoothbox is or if we have one lol

    I looked at the link youu provided....is it compatible with 2008 R2 x64?

    cheers
    Smoothwall box is our own firewall or as you would probably call it a Proxy server.

    As you have stated your part of a forest which is centralised vis your LA then it is these guys you need to speak to as they obviously have something wrong upstream as the time sync will come from the master controller of the forest which will sync with the outside world and then all the domains should automatically sync from this.

    Get in touch with other schools which are part of the LA forest and see if they are having the same problems, if not then it could be your DC which is not syncing properly which will need to be looked at.

    A little light reading for you: http://technet.microsoft.com/en-us/l...13(WS.10).aspx

    Pulled a little out for you:

    NTP Security
    Within an AD DS forest, the Windows Time service relies on standard domain security features to enforce the authentication of time data. The security of NTP packets that are sent between a domain member computer and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the computer’s Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. NTP packets are not transmitted inside the Net Logon secure channel. Instead, when a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the Net Logon service. If the returned NTP packet is not signed with the computer’s session key or is signed incorrectly, the time is rejected. All such authentication failures are logged in the Event Log. In this way, the Windows Time service provides security for NTP data in an AD DS forest.

    Generally, Windows time clients automatically obtain accurate time for synchronization from domain controllers in the same domain. In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When a time server returns an authenticated NTP packet to a client that requests the time, the packet is signed by means of a Kerberos session key defined by an interdomain trust account. The interdomain trust account is created when a new AD DS domain joins a forest, and the Net Logon service manages the session key. In this way, the domain controller that is configured as reliable in the forest root domain becomes the authenticated time source for all of the domain controllers in both the parent and child domains, and indirectly for all computers located in the domain tree.

    The Windows Time service can be configured to work between forests, but it is important to note that this configuration is not secure. For example, an NTP server might be available in a different forest. However, because that computer is in a different forest, there is no Kerberos session key with which to sign and authenticate NTP packets. To obtain accurate time synchronization from a computer in a different forest, the client needs network access to that computer and the time service must be configured to use a specific time source located in the other forest. If a client is manually configured to access time from an NTP server outside of its own domain hierarchy, the NTP packets sent between the client and the time server are not authenticated, and therefore are not secure. Even with the implementation of forest trusts, the Windows Time service is not secure across forests. Although the Net Logon secure channel is the authentication mechanism for the Windows Time service, authentication across forests is not supported.

    Good luck with the LA
    Last edited by bossman; 28th September 2011 at 01:48 PM.

  12. #12

    Join Date
    Jul 2011
    Location
    Leicester
    Posts
    73
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    7
    'light reading'??? lol.... i'll give it a go one day...

    i tried what Dazz recommended....and hey presto....so far so good...

    knowing my luck...my server will try and sync with the LA server and then my time will go back to being 4 mins fast lol

    if it does...to the hell of it... ive more important gumpff to worry about with server 2008 R2 ..... and my lack of knowledge of it.

    so watch out for new threads and i will thank you in advance for your help

SHARE:
+ Post New Thread

Similar Threads

  1. Samsung MagicInfo Pro Time Settings Wont Save
    By FN-GM in forum Educational Software
    Replies: 2
    Last Post: 3rd September 2009, 02:13 PM
  2. Time on a domain
    By sidewinder in forum Windows
    Replies: 10
    Last Post: 24th April 2007, 01:41 PM
  3. Outlook Express settings on domain logon
    By Samson in forum Windows
    Replies: 6
    Last Post: 20th March 2007, 08:40 AM
  4. laptop loses domain settings
    By chrbb in forum Wireless Networks
    Replies: 18
    Last Post: 21st October 2006, 09:31 AM
  5. Synchronizing time on a domain
    By woody in forum Windows
    Replies: 8
    Last Post: 13th September 2005, 01:36 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •