W32time error in event viewer? 1

[OverDrive]

I am getting this error? Does anyone know why?

I did the "'net time /setsntp:<server name>" from the command prompt and it said it initialized, but I still get the error every day?

Any thoughts?

Thanks
Chance~



Event Type: Error
Event Source: w32time
Event Category: None
Event ID: 62
Date: 3/18/2004
Time: 7:06:30 AM
User: N/A
Computer: SERVER
Description:
This Machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command, 'net time /setsntp:<server name>'.
Data:
0000: e5 03 00 00 å...

 

[supatech]

what machine are you using for time server? if it is external make sure you can access it.

CCNA MCSE MCP NET+ A+ Security+

 

[OverDrive]

Well, I am using the DC "i guess" for the time server?

This is where I am receiving the error btw also(the DC)...

 

[mlichstein]

Do "net time /setsntp:time.nist.gov"

or "net time /setsntp:tock.usno.navy.mil"

After setting it, do "net stop w32time & net start w32time"

Then do "net stop w32time" then "w32tm -v -once" Check for errors then finally do "net start w32time

 

[desktoprat]

Mlichstein, what is the purpose of stopping and starting the time service and then doing it again with the synch once command? All the docs I have ever seen never suggested doing it that way.

Not saying you are wrong, just wondering about the rationale.

 

[mlichstein]

The first stop and start makes sure the configuration is updated. The time service in 2003 and XP makes this easier with the w32tm /config /update command that doesnt require the service to be stopped.

The second stop is because you cant force the time sync when the service is started. Again, this is better in 2003 and XP because you can force a sync without stopping the service.

 

[OverDrive]

Not sure what all that did, but it had to help!

I will let you know what the eventvwr says...

Thanks!

STAR 4 U my friend!
Chance~

 

[OverDrive]

I got a warning now instead of an error... so thats a plus... here is the warning.


Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 11
Date: 3/18/2004
Time: 9:27:58 PM
User: N/A
Computer: SERVER
Description:
The NTP server didn't respond
Data:
0000: 00 00 00 00 ....

 

[mlichstein]

Which of the two servers that I posted did you use? Sometimes they have issues.

 

[OverDrive]

gov

 

[mlichstein]

Try changing to the other one.

You could also use tick.usno.navy.mil

 

[OverDrive]

I got the same warning...

??

 

[mlichstein]

Are you blocking port 123 anywhere?

 

[desktoprat]

Ok, Mlichstein, understand where you are going now. The only thing I ever did was the 2nd part. Stop, synch, start.

Since we are on the subject, what rationale from a security standpoint is there for disabling the time service on a domain controller? One of the groups at work has disabled the time service and is forcing a large group of users to use a 3rd party utility to synch up their clocks. I really have not been able to find anything to justify why they disabled it and am trying to make a move to force them to turn it back on.

 

[mlichstein]

Time synchronization is very important in an AD domain. The default max tolerance value for time sync for Kerberos authentication is 5 minutes.

Clients synch their time with their authenticating DC. Domain controllers follow the statum algorithm to sync their time with other DCs.

So froma security standpoint, time is very important. How time is synchronized is not as important, I guess, but the Windows time service is very good. Unless there is some reason to have more exact time sync on the network, the Windows time service is the best way to go. Besides, it requires almost no configuration. The only thing that needs to be done is to set the external time source on the PDCe of the root domain in the forest. Everyone else in the entire forest will sync automatically.

 

[desktoprat]

I understand the importance of time, even more so in an AD environment. In my environment, we are mixed between domains and workgroups. Just for good measure, throw a predominantly Novell enviroment in there as well.

For political reasons, and a copious amount of lead in certain parts of some people's anatomy, one of the groups we support is in a totally separate NT4 domain from us. A domain that we do not administer. But we are responsible for the desktop support in that area.

The time factor has become even more important lately because for lack of a better term, it has been 'slipping' and it is really impacting the billing department.

Upon further investigation, the affected group, when given the Net Time command, the computers basically respond with a Time Server cannot be found. They are using a 3rd party time synch utility, Tardis I believe, that is apparently not doing the job. In addition, the group that maintains that particular domain have shut off the time services due to 'security concerns' and won't really elaborate as to why. Finally, the Novell clients, even though the option is enabled, aren't synching their time to the Novell server either.

I am trying to impress upon my boss that there are only a two realistic choices here:

1. Call in bigger guns, and get the other group to allow time services from their domain controller.

2. Finish fighting the political battles, and join the machines to our own AD domain since we are responsible for the desktops already anyway.

So, I guess I just vented all over the place. But that is the reason for my question earlier as to what security concerns could there be for allowing the time service to operate?

Any further input/suggestions?