2

Have just had a bit of an issue with our time setup after an issue with our PDC. Am on clear up duty now but am struggling with some 2003 servers.

On server 2008 I can run w32tm /query /source and it responds with the DC that it has synced time with (or not if it has been configured incorrectly).

I cannot seem to find a similar command on Server 2003. the /query switch is not listed and returns errors. Will one of the registry settings from /dumpreg inform me if the server is using /syncfromflags:domhier?

I am really hoping to just check that all our servers are set to use the domain hierarchy for their time source and not some external source or incorrect server (in the past a previous admin had been know to set the firewall as the NTP source in the registry, this is something we want to move away from).

We are using Server 2008 DCs and have domain and forest levels set to 2008.

Citizen
  • 1,103
  • 1
  • 10
  • 19
  • If it's domain, then not, apparently you need to start the service, and then configure for PDC, but if you have it on DC and 2008 reports OK, this should be all fine. Dumpreg always returns registry settings, but doesnt show if service is started or working. – Andrew Smith Aug 31 '12 at 10:55
  • so by deafult in a domain environment starting the w32time service will use domain hierarchy to sync time? Would this override any sntp settings that may have been configured before? The PDC and DCs are all configured and talking to each other correctly now. It just some of our members servers that I wanted to give the once over to. –  Aug 31 '12 at 11:00
  • Well the time service has to be specifically configured via GPO to talk to the domain controller, or the best two domain controllers. To have it well working, you need to configure it thru GPO, because defaults are very generic, and they very often drift a lot. But the default GPO policy, if enabled, is really OK even for most demanding problems. – Andrew Smith Aug 31 '12 at 12:58

2 Answers2

7

The equivalent of w32tm /query on XP and 2003 is "net time /querysntp".

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
  • thanks for that. On a test server it is showing as not configured which leads me to believe it is picking it up from the DC which is good. thanks –  Aug 31 '12 at 11:41
1

All members of a domain should get their time from domain controllers and lose any options to manually set other NTP servers through the standard UI, although it is possible to edit in if you need to insome circumstances, but it is inadvisable and should only really be used when in a virtual environment. This is to ensure that kerberos and similar authentication works correctly. The domain controllers themselves should set the time for the domain from an external NTP source.

Alex Berry
  • 2,307
  • 13
  • 23
  • That's not actually true. All domain members *should* get their time settings from a domain controller, but that doesn't mean they will, or that it can't be changed. Also, all machines will be getting their time from an NTP source... W32time is an NTP source. Please correct those errors so I can remove my downvote. – HopelessN00b Aug 31 '12 at 13:36
  • Noted and updated, what you said is really what I meant, thanks. – Alex Berry Aug 31 '12 at 13:50