Guest Marc S Posted February 5, 2008 Posted February 5, 2008 Prior consultants put the "net time" command into a login script. net time \\servername / set /y (the server name is the correct one) I get an eror when the script runs that the option is unavailable. The Syntax looks wrong in the script. Before I spend any time to fix this, does this need to be in the Login Script?
Guest Ace Fekay [MVP] Posted February 5, 2008 Posted February 5, 2008 Re: Net time on login script In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com, Marc S <MarcS@discussions.microsoft.com> typed: > Prior consultants put the "net time" command into a login script. > > net time \\servername / set /y (the server name is the correct one) > > I get an eror when the script runs that the option is unavailable. > The Syntax looks wrong in the script. > > Before I spend any time to fix this, does this need to be in the > Login Script? Nope. Not needed. All domain members will get their time sync from the DC that holds the PDC Emulator Role by default. Nothing else to configure on the client or other servers. However you would want to do a one shot time config on the DC that holds the PDC Emulator role. This was designed this way to insure time is properly set across the domain because AD uses Kerberos for authentication, which uses a time stamp in the authentication stream as a 'salt' to insure the authentication traffic is not replayed. Kerberos only allows a 5 minute skew otherwise authentication will fail, people can't logon, Exchange fails... the list goes on. Assuming you are running Windows 2003 (different for 2000): net stop w32time net time /setsntp:192.5.41.41 net start w32time Make sure UDP 123 is allowed access in your firewall from that IP to the DC holding the PDC Emulator role. That IP is one of the Navy time servers. -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer Infinite Diversities in Infinite Combinations
Guest Marc S Posted February 5, 2008 Posted February 5, 2008 Re: Net time on login script "Ace Fekay [MVP]" wrote: > In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com, > Marc S <MarcS@discussions.microsoft.com> typed: > > Prior consultants put the "net time" command into a login script. > > > > net time \\servername / set /y (the server name is the correct one) > > I get an eror when the script runs that the option is unavailable. > > The Syntax looks wrong in the script. > > > > Before I spend any time to fix this, does this need to be in the > > Login Script? > > Nope. Not needed. All domain members will get their time sync from the DC > that holds the PDC Emulator Role by default. Nothing else to configure on > the client or other servers. However you would want to do a one shot time > config on the DC that holds the PDC Emulator role. This was designed this > way to insure time is properly set across the domain because AD uses > Kerberos for authentication, which uses a time stamp in the authentication > stream as a 'salt' to insure the authentication traffic is not replayed. > Kerberos only allows a 5 minute skew otherwise authentication will fail, > people can't logon, Exchange fails... the list goes on. > > Assuming you are running Windows 2003 (different for 2000): > > net stop w32time > net time /setsntp:192.5.41.41 > net start w32time > > Make sure UDP 123 is allowed access in your firewall from that IP to the DC > holding the PDC Emulator role. That IP is one of the Navy time servers. > > -- > Regards, > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, > MVP Microsoft MVP - Directory Services > Microsoft Certified Trainer > > Infinite Diversities in Infinite Combinations How can I see if the "one time shot" was already setup on a Domain Controller, before I run the net time you suggested? If I have three Domain Controllers, will this be done on all three. Or only one is the main Time Server?
Guest net_admin Posted February 5, 2008 Posted February 5, 2008 Re: Net time on login script http://support.microsoft.com/kb/816042 -- NetAdmin <São Paulo, BR> "Marc S" wrote: > > > "Ace Fekay [MVP]" wrote: > > > In news:87E10FD9-0701-469C-AAAF-0B733E944B8C@microsoft.com, > > Marc S <MarcS@discussions.microsoft.com> typed: > > > Prior consultants put the "net time" command into a login script. > > > > > > net time \\servername / set /y (the server name is the correct one) > > > I get an eror when the script runs that the option is unavailable. > > > The Syntax looks wrong in the script. > > > > > > Before I spend any time to fix this, does this need to be in the > > > Login Script? > > > > Nope. Not needed. All domain members will get their time sync from the DC > > that holds the PDC Emulator Role by default. Nothing else to configure on > > the client or other servers. However you would want to do a one shot time > > config on the DC that holds the PDC Emulator role. This was designed this > > way to insure time is properly set across the domain because AD uses > > Kerberos for authentication, which uses a time stamp in the authentication > > stream as a 'salt' to insure the authentication traffic is not replayed. > > Kerberos only allows a 5 minute skew otherwise authentication will fail, > > people can't logon, Exchange fails... the list goes on. > > > > Assuming you are running Windows 2003 (different for 2000): > > > > net stop w32time > > net time /setsntp:192.5.41.41 > > net start w32time > > > > Make sure UDP 123 is allowed access in your firewall from that IP to the DC > > holding the PDC Emulator role. That IP is one of the Navy time servers. > > > > -- > > Regards, > > Ace > > > > This posting is provided "AS-IS" with no warranties or guarantees and > > confers no rights. > > > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, > > MVP Microsoft MVP - Directory Services > > Microsoft Certified Trainer > > > > Infinite Diversities in Infinite Combinations > > > How can I see if the "one time shot" was already setup on a Domain > Controller, before I run the net time you suggested? > > If I have three Domain Controllers, will this be done on all three. Or only > one is the main Time Server? > > >
Guest Ace Fekay [MVP] Posted February 6, 2008 Posted February 6, 2008 Re: Net time on login script In news:4DDBA95C-EF0F-4EE8-B854-6F89D57711B1@microsoft.com, Marc S <MarcS@discussions.microsoft.com> typed: > > How can I see if the "one time shot" was already setup on a Domain > Controller, before I run the net time you suggested? > > If I have three Domain Controllers, will this be done on all three. > Or only one is the main Time Server? You can do it over and over again and again. It won't hurt. It just sets it to whatever you set it to. Or look in the reg like that article shows. Ace
Guest Marc S Posted February 6, 2008 Posted February 6, 2008 Re: Net time on login script "Ace Fekay [MVP]" wrote: > In news:4DDBA95C-EF0F-4EE8-B854-6F89D57711B1@microsoft.com, > Marc S <MarcS@discussions.microsoft.com> typed: > > > > > How can I see if the "one time shot" was already setup on a Domain > > Controller, before I run the net time you suggested? > > > > If I have three Domain Controllers, will this be done on all three. > > Or only one is the main Time Server? > > You can do it over and over again and again. It won't hurt. It just sets it > to whatever you set it to. Or look in the reg like that article shows. > > Ace > Perfect. Thanks so much.
Guest Ace Fekay [MVP] Posted February 7, 2008 Posted February 7, 2008 Re: Net time on login script In news:F7D732D9-FA92-4CA0-AF95-8877757246A9@microsoft.com, Marc S <MarcS@discussions.microsoft.com> typed: > Perfect. Thanks so much. My pleasure.
Recommended Posts