No announcement yet.

Non-Active Directory Time Synchronization via NTP

  • Filter
  • Time
  • Show
Clear All
new posts

  • Non-Active Directory Time Synchronization via NTP

    I have a number of servers that I would like to synchronize the time to one central server so that logs and such all match up.

    I attempted to configure the NTP Server and NTP Client within group policies however I was unsuccessful in getting them to synchronize.

    Does anyone have any recommendations?

    My next step may be to setup a batch script to run and synchronize:
    net time \\timeserver /set /y
    Thanks. Any help will be appreciated.

  • #2
    Re: Non-Active Directory Time Synchronization via NTP

    Here's a thread on the topic (kind of):

    It should give you my 2 euro cents on how to make this work with an external (Internet) time server.


    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.


    • #3
      Re: Non-Active Directory Time Synchronization via NTP

      Originally posted by bredinger View Post
      My next step may be to setup a batch script to run and synchronize:
      net time \\timeserver /set /y
      There is one problem with this approach: because "net time" uses RPC call to get the time from the server, you need to authenticate against the server. If you are in AD environment and have a clock skew of more than 5 minutes, your authentication request will be refused and you will get a nice "Access denied" error.

      The proper way is to use SNTP/NTP protocol which is utilized by "Windows Time Service" and is manipulated by w32tm.exe.
      SNTP does not require authentication, hence you can sync the clock regardless the current skew on the host that wants to sync from the SNTP server.

      When configured with correct time sources, there is no need to explicitly sync the clock - the W32TM service constantly checks with SNTP server and resyncs the clock. The default re-sync frequency depends on the computer role:
      Registry path
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Config

      Windows XP and Windows Server 2003

      This entry specifies the number of clock ticks between phase correction adjustments. The default value for domain controllers is 100. The default value for domain members is 30,000. The default value for stand-alone clients and servers is 360,000.

      Rick, in your previous post, I think you were able to logon because the workstation resynced with a DC using SNTP while you logged out and re-logged in. If we are talking about the same Fortune 500 company, the Kerberos clock skew is at it's default (5 minutes)
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"