Comments on: Configure Windows Server 2003 and 2008 w32tm commands on domain controller http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/ Company site for Greg Fischer { GregTheGeek } Wed, 14 Apr 2010 22:44:19 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Devin http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-557 Devin Wed, 17 Mar 2010 18:33:22 +0000 http://www.1stbyte.com/?p=151#comment-557 Just thought I would add some input...... Windows Time in Windows 2000 used SNTP. SNTP is one of the most easily exploitable protocols, if not the easiest, that exists. NTP was developed to address some of the major/critical security issues that were known when the time Windows Server 2003 came out. All Microsoft Windows versions since Windows 2000 include the Windows Time Service, which has the ability to sync the computer clock to an NTP server. However, the version in Windows 2000 only implements Simple NTP, and violates several aspects of the NTP version 3 standard. Beginning with Windows Server 2003, the Microsoft documentation states that Windows Time Service implements the full NTPv3 protocol as specified in RFC 1305. Next time think about why something is changed.....there is usually a reason behind it. Just thought I would add some input……

Windows Time in Windows 2000 used SNTP. SNTP is one of the most easily exploitable protocols, if not the easiest, that exists.

NTP was developed to address some of the major/critical security issues that were known when the time Windows Server 2003 came out.

All Microsoft Windows versions since Windows 2000 include the Windows Time Service, which has the ability to sync the computer clock to an NTP server. However, the version in Windows 2000 only implements Simple NTP, and violates several aspects of the NTP version 3 standard. Beginning with Windows Server 2003, the Microsoft documentation states that Windows Time Service implements the full NTPv3 protocol as specified in RFC 1305.

Next time think about why something is changed…..there is usually a reason behind it.

]]> By: Greg http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-538 Greg Fri, 26 Feb 2010 20:14:22 +0000 http://www.1stbyte.com/?p=151#comment-538 Is your system bios set to the correct date? I'd make sure that is set right first. I don't know if dates are sync'd with NTP, don't know enough about that to say for sure. But it seems to me that if your date is wrong, you'd want it set right in the bios anyway, then allow NTP to keep the time. Is your system bios set to the correct date? I’d make sure that is set right first. I don’t know if dates are sync’d with NTP, don’t know enough about that to say for sure. But it seems to me that if your date is wrong, you’d want it set right in the bios anyway, then allow NTP to keep the time.

]]> By: Kane http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-537 Kane Fri, 26 Feb 2010 19:20:07 +0000 http://www.1stbyte.com/?p=151#comment-537 Hello. When I run the commands only the time gets updated. Is there anyway to have the date also sync. Just like when you click on update for syncing the time and date in the clock properties. Hello. When I run the commands only the time gets updated. Is there anyway to have the date also sync. Just like when you click on update for syncing the time and date in the clock properties.

]]> By: Greg http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-469 Greg Thu, 22 Oct 2009 21:29:44 +0000 http://www.1stbyte.com/?p=151#comment-469 Just thought I'd mention. Today I had a server that wouldn't take the command listed above with all the pool.ntp.org items. I ended up running this and it all worked: (that sould read "north-america" and all on one line) <pre> w32tm /config /manualpeerlist:north-america.pool.ntp.org,0×8 /syncfromflags:MANUAL /reliable:yes w32tm /config /update net stop w32time net start w32time w32tm /resync </pre> And that worked great. It wouldn't work with all the pool items before, said something like "such and such... is unexpected" and wouldn't take it. I also tried NOT using the net stop and start commands, and wouldn't work. Had to do the stop and start and only "/resync" on the last command, then worked great! Just thought I’d mention. Today I had a server that wouldn’t take the command listed above with all the pool.ntp.org items. I ended up running this and it all worked: (that sould read “north-america” and all on one line)

w32tm /config /manualpeerlist:north-america.pool.ntp.org,0×8 /syncfromflags:MANUAL /reliable:yes

w32tm /config /update

net stop w32time
net start w32time

w32tm /resync

And that worked great. It wouldn’t work with all the pool items before, said something like “such and such… is unexpected” and wouldn’t take it.

I also tried NOT using the net stop and start commands, and wouldn’t work. Had to do the stop and start and only “/resync” on the last command, then worked great!

]]> By: Sue http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-448 Sue Thu, 24 Sep 2009 10:13:13 +0000 http://www.1stbyte.com/?p=151#comment-448 Thanks guys! These info helped a lot! You have no idea how grateful i am to be able to go back and get some sleep now... Thanks guys! These info helped a lot! You have no idea how grateful i am to be able to go back and get some sleep now…

]]> By: Greg http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-447 Greg Thu, 24 Sep 2009 08:02:50 +0000 http://www.1stbyte.com/?p=151#comment-447 Frank, thanks for the great info! Glad you found my measly little notes useful. I keep these because of the exact reason you mentioned. Sometimes you find all kinds of great info out there, but then its tough get a simple example. (or it's buried in a ton of docs) Anyway, thanks! Frank, thanks for the great info! Glad you found my measly little notes useful. I keep these because of the exact reason you mentioned. Sometimes you find all kinds of great info out there, but then its tough get a simple example. (or it’s buried in a ton of docs) Anyway, thanks!

]]> By: Frank (another one) http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-445 Frank (another one) Wed, 23 Sep 2009 06:33:51 +0000 http://www.1stbyte.com/?p=151#comment-445 Hi First of all thanks a lot to Greg: This is the first site I found after a lot of googeling that just told me the w32tm command to make my DC a timeserver!!! My DC is Windows Server 2008 SP2 Standard My experience with w32tm: - do stuff as "the" (domain) Administrator, not just as a normal administrator user!!! (Unlike Unix, these two users do not have identical authorizations!!!) - in the command prompt work directly under C:\!!! Not in the Administrator home directory.... - turn off ALL anti-virus functions, scanners, programs!! - Do NOT use the "Net" command. Only use w32tm commands. When you get strange error messages while setting up w32time (stuff like "access denied" or the system telling you, a command execution was not possible because service is marked for deletion): - use "w32tm /unregister" - reboot (removes the marked for deletion service (w32time) definitely and removes any crippled registry entries for w32time) - use "w32tm /register" (creates new standard registry entries, installs w32time service. Service not running but in "Automatic" mode) - reboot (after reboot service is running. Just starting the service without reboot got me error messages due to some not unique service IDs.... ) - use the "w32tm /config..." command above. You can add the "/update" in the first line. - remember not to use "Net Start" stuff - then use "w32tm /resync /rediscover" - if you then use "w32tm /stripchart /computer:"your NTP server" /samples:5 /dataonly" you should find out that the local time is max. 0.000something different from the NTP server time. Where the NTP server is the first in the list you set up with "manualpeerlist". Regards, Frank Hi
First of all thanks a lot to Greg: This is the first site I found after a lot of googeling that just told me the w32tm command to make my DC a timeserver!!!

My DC is Windows Server 2008 SP2 Standard

My experience with w32tm:
- do stuff as “the” (domain) Administrator, not just as a normal administrator user!!! (Unlike Unix, these two users do not have identical authorizations!!!)
- in the command prompt work directly under C:\!!! Not in the Administrator home directory….
- turn off ALL anti-virus functions, scanners, programs!!
- Do NOT use the “Net” command. Only use w32tm commands.

When you get strange error messages while setting up w32time (stuff like “access denied” or the system telling you, a command execution was not possible because service is marked for deletion):
- use “w32tm /unregister”
- reboot (removes the marked for deletion service (w32time) definitely and removes any crippled registry entries for w32time)
- use “w32tm /register” (creates new standard registry entries, installs w32time service. Service not running but in “Automatic” mode)
- reboot (after reboot service is running. Just starting the service without reboot got me error messages due to some not unique service IDs…. )
- use the “w32tm /config…” command above. You can add the “/update” in the first line.
- remember not to use “Net Start” stuff
- then use “w32tm /resync /rediscover”
- if you then use “w32tm /stripchart /computer:”your NTP server” /samples:5 /dataonly” you should find out that the local time is max. 0.000something different from the NTP server time. Where the NTP server is the first in the list you set up with “manualpeerlist”.

Regards,
Frank

]]> By: Frank http://www.1stbyte.com/2009/04/07/configure-windows-server-2003-and-2008-w32tm-commands-on-domain-controller/comment-page-1/#comment-402 Frank Mon, 20 Jul 2009 07:46:46 +0000 http://www.1stbyte.com/?p=151#comment-402 Thanks for this article, helped me out. I do advice to use a 'w32tm /unregister' and 'w32tm /register' after the 'net stop w32time' Thanks for this article, helped me out.
I do advice to use a ‘w32tm /unregister’ and ‘w32tm /register’ after the ‘net stop w32time’

]]>