locked
How to disable time synchronization - NEED A HELP!!!

    Question

  • Hello all,

    I have windows server 2008 R2 configured in that way that I can not change the date or time .After changing it ,immediately it returns to the current date.

    But I want to change it manually .I tried to disable Time service but it doesn't help.

    Please , help me to solve this .Is there any way I can change date/time ???How to disable this synchronization  or mayb to delay(synchronization  ) it for some time ...

    Thanks a lot,
    Smugliy
    Wednesday, July 08, 2009 10:56 AM

Answers

  • hi there,

    Have you configured NTPserver in your domain ? , if so here is a bit of info .

    The simplest solution to time synchronization in an Active Directory environment is to let the PDC Emulator in the forest root domain use its own CMOS clock as the source of reliable time for the forest. To do this, you can simply take no action. The only annoying result is that you will occasionally see the following event logged to the System log in Event Viewer:

    Event ID: 12

    Event source: W32Time

    Event description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

    Basically, what this event means is that the PDC Emulator in the forest root domain has not been configured to synchronize its clock with an external stratum 1 time source, and as a result the clocks on all machines in your forest cannot be considered reliable. Now this may be an issue if employees rely upon their workstations’ CMOS clocks for signing in and out, but as far as Kerberos is concerned it’s a non-issue because Kerberos only requires that clocks on clients and authenticators agree with each other, not that they display accurate time. So if every machine’s clock in the forest is one hour late, Kerberos will still work fine and replay attacks will be prevented, which is the purpose of W32Time anyway.



    ====================================================================

    let us know what values are stored under the below keys

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

     


    sainath !analyze
    Wednesday, July 08, 2009 6:26 PM
    Moderator
  • Additional, if your server is Hyper-V Virtual Machine, please refer to the following article:

    http://blogs.technet.com/notesfromthefield/archive/2009/02/13/a-small-concern-when-virtualizing-domain-controllers-time-sync.aspx

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, July 14, 2009 3:49 AM
    Moderator

All replies

  • hi there,

    Have you configured NTPserver in your domain ? , if so here is a bit of info .

    The simplest solution to time synchronization in an Active Directory environment is to let the PDC Emulator in the forest root domain use its own CMOS clock as the source of reliable time for the forest. To do this, you can simply take no action. The only annoying result is that you will occasionally see the following event logged to the System log in Event Viewer:

    Event ID: 12

    Event source: W32Time

    Event description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

    Basically, what this event means is that the PDC Emulator in the forest root domain has not been configured to synchronize its clock with an external stratum 1 time source, and as a result the clocks on all machines in your forest cannot be considered reliable. Now this may be an issue if employees rely upon their workstations’ CMOS clocks for signing in and out, but as far as Kerberos is concerned it’s a non-issue because Kerberos only requires that clocks on clients and authenticators agree with each other, not that they display accurate time. So if every machine’s clock in the forest is one hour late, Kerberos will still work fine and replay attacks will be prevented, which is the purpose of W32Time anyway.



    ====================================================================

    let us know what values are stored under the below keys

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

     


    sainath !analyze
    Wednesday, July 08, 2009 6:26 PM
    Moderator
  • Hi,

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type = NT5DS

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags = a (Hex)

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer   - I don't have such entry there

    Thanks a lot

    Thursday, July 09, 2009 8:00 AM
  • Sorry ,this is a correct one


    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type = AllSync

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags = a (Hex)

    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer   - WTTCTRL-5120

    Thursday, July 09, 2009 8:14 AM
  • Hi,

    It seems this Windows server 2008 is in Domain. Try to run "gpresult /z >>c:\gp.txt" and paste here for research.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, July 10, 2009 10:53 AM
    Moderator
  • Additional, if your server is Hyper-V Virtual Machine, please refer to the following article:

    http://blogs.technet.com/notesfromthefield/archive/2009/02/13/a-small-concern-when-virtualizing-domain-controllers-time-sync.aspx

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, July 14, 2009 3:49 AM
    Moderator