Net time on login script

[Guest Marc S]

Prior consultants put the "net time" command into a login script.

 

net time \\servername / set /y (the server name is the correct one)

 

I get an eror when the script runs that the option is unavailable. The

Syntax looks wrong in the script.

 

Before I spend any time to fix this, does this need to be in the Login Script?

[Guest Ace Fekay [MVP]]

Re: Net time on login script

 

In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com,

Marc S <MarcS@discussions.microsoft.com> typed:

> Prior consultants put the "net time" command into a login script.

>

> net time \\servername / set /y (the server name is the correct one)

>

> I get an eror when the script runs that the option is unavailable.

> The Syntax looks wrong in the script.

>

> Before I spend any time to fix this, does this need to be in the

> Login Script?

 

Nope. Not needed. All domain members will get their time sync from the DC

that holds the PDC Emulator Role by default. Nothing else to configure on

the client or other servers. However you would want to do a one shot time

config on the DC that holds the PDC Emulator role. This was designed this

way to insure time is properly set across the domain because AD uses

Kerberos for authentication, which uses a time stamp in the authentication

stream as a 'salt' to insure the authentication traffic is not replayed.

Kerberos only allows a 5 minute skew otherwise authentication will fail,

people can't logon, Exchange fails... the list goes on.

 

Assuming you are running Windows 2003 (different for 2000):

 

net stop w32time

net time /setsntp:192.5.41.41

net start w32time

 

Make sure UDP 123 is allowed access in your firewall from that IP to the DC

holding the PDC Emulator role. That IP is one of the Navy time servers.

 

--

Regards,

Ace

 

This posting is provided "AS-IS" with no warranties or guarantees and

confers no rights.

 

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

MVP Microsoft MVP - Directory Services

Microsoft Certified Trainer

 

Infinite Diversities in Infinite Combinations

[Guest Marc S]

Re: Net time on login script

 

 

 

"Ace Fekay [MVP]" wrote:

> In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com,

> Marc S <MarcS@discussions.microsoft.com> typed:

> > Prior consultants put the "net time" command into a login script.

> >

> > net time \\servername / set /y (the server name is the correct one)

> > I get an eror when the script runs that the option is unavailable.

> > The Syntax looks wrong in the script.

> >

> > Before I spend any time to fix this, does this need to be in the

> > Login Script?

>

> Nope. Not needed. All domain members will get their time sync from the DC

> that holds the PDC Emulator Role by default. Nothing else to configure on

> the client or other servers. However you would want to do a one shot time

> config on the DC that holds the PDC Emulator role. This was designed this

> way to insure time is properly set across the domain because AD uses

> Kerberos for authentication, which uses a time stamp in the authentication

> stream as a 'salt' to insure the authentication traffic is not replayed.

> Kerberos only allows a 5 minute skew otherwise authentication will fail,

> people can't logon, Exchange fails... the list goes on.

>

> Assuming you are running Windows 2003 (different for 2000):

>

> net stop w32time

> net time /setsntp:192.5.41.41

> net start w32time

>

> Make sure UDP 123 is allowed access in your firewall from that IP to the DC

> holding the PDC Emulator role. That IP is one of the Navy time servers.

>

> --

> Regards,

> Ace

>

> This posting is provided "AS-IS" with no warranties or guarantees and

> confers no rights.

>

> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

> MVP Microsoft MVP - Directory Services

> Microsoft Certified Trainer

>

> Infinite Diversities in Infinite Combinations

 

 

How can I see if the "one time shot" was already setup on a Domain

Controller, before I run the net time you suggested?

 

If I have three Domain Controllers, will this be done on all three. Or only

one is the main Time Server?

[Guest net_admin]

Re: Net time on login script

 

http://support.microsoft.com/kb/816042

 

 

--

NetAdmin <São Paulo, BR>

 

 

 

"Marc S" wrote:

>

>

> "Ace Fekay [MVP]" wrote:

>

> > In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com,

> > Marc S <MarcS@discussions.microsoft.com> typed:

> > > Prior consultants put the "net time" command into a login script.

> > >

> > > net time \\servername / set /y (the server name is the correct one)

> > > I get an eror when the script runs that the option is unavailable.

> > > The Syntax looks wrong in the script.

> > >

> > > Before I spend any time to fix this, does this need to be in the

> > > Login Script?

> >

> > Nope. Not needed. All domain members will get their time sync from the DC

> > that holds the PDC Emulator Role by default. Nothing else to configure on

> > the client or other servers. However you would want to do a one shot time

> > config on the DC that holds the PDC Emulator role. This was designed this

> > way to insure time is properly set across the domain because AD uses

> > Kerberos for authentication, which uses a time stamp in the authentication

> > stream as a 'salt' to insure the authentication traffic is not replayed.

> > Kerberos only allows a 5 minute skew otherwise authentication will fail,

> > people can't logon, Exchange fails... the list goes on.

> >

> > Assuming you are running Windows 2003 (different for 2000):

> >

> > net stop w32time

> > net time /setsntp:192.5.41.41

> > net start w32time

> >

> > Make sure UDP 123 is allowed access in your firewall from that IP to the DC

> > holding the PDC Emulator role. That IP is one of the Navy time servers.

> >

> > --

> > Regards,

> > Ace

> >

> > This posting is provided "AS-IS" with no warranties or guarantees and

> > confers no rights.

> >

> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

> > MVP Microsoft MVP - Directory Services

> > Microsoft Certified Trainer

> >

> > Infinite Diversities in Infinite Combinations

>

>

> How can I see if the "one time shot" was already setup on a Domain

> Controller, before I run the net time you suggested?

>

> If I have three Domain Controllers, will this be done on all three. Or only

> one is the main Time Server?

>

>

>

[Guest Ace Fekay [MVP]]

Re: Net time on login script

 

In news:4DDBA95C-EF0F-4EE8-B854-6F89D57711B1@microsoft.com,

Marc S <MarcS@discussions.microsoft.com> typed:

>

> How can I see if the "one time shot" was already setup on a Domain

> Controller, before I run the net time you suggested?

>

> If I have three Domain Controllers, will this be done on all three.

> Or only one is the main Time Server?

 

You can do it over and over again and again. It won't hurt. It just sets it

to whatever you set it to. Or look in the reg like that article shows.

 

Ace

[Guest Marc S]

Re: Net time on login script

 

 

 

"Ace Fekay [MVP]" wrote:

> In news:4DDBA95C-EF0F-4EE8-B854-6F89D57711B1@microsoft.com,

> Marc S <MarcS@discussions.microsoft.com> typed:

>

> >

> > How can I see if the "one time shot" was already setup on a Domain

> > Controller, before I run the net time you suggested?

> >

> > If I have three Domain Controllers, will this be done on all three.

> > Or only one is the main Time Server?

>

> You can do it over and over again and again. It won't hurt. It just sets it

> to whatever you set it to. Or look in the reg like that article shows.

>

> Ace

>

 

Perfect. Thanks so much.

[Guest Ace Fekay [MVP]]

Re: Net time on login script

 

In news:F7D732D9-FA92-4CA0-AF95-8877757246A9@microsoft.com,

Marc S <MarcS@discussions.microsoft.com> typed:

> Perfect. Thanks so much.

 

My pleasure.