NTP in MS domains

  • Thread starter Thread starter Tom Del Rosso
  • Start date Start date
T

Tom Del Rosso

As I understand it, clients know who their NTP server is because the master
browser tells them, so there's no need to run any net time /set or /setsntp
commands.

But I have seen people use these commands in scripts -- even in login
scripts where it shouldn't be able to do anything because they don't run
with admin rights.

Is there any reason to run these commands on clients?
 
Hello Tom,

If you have a domain, normally is no need for using time commands. In a domain
the Domain Controller with the PDCEmulator role is the time source for the
domain. All DC's sync with it and all member servers and workstations sync
with one available DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
In Active Directory, login scripts run with elevated rights; but even so you
are correct, the inclusion of the time command is generally superfluous in
the case of a domain-connected client.
 
Tom Del Rosso said:
As I understand it, clients know who their NTP server is because the
master
browser tells them, so there's no need to run any net time /set or
/setsntp
commands.

But I have seen people use these commands in scripts -- even in login
scripts where it shouldn't be able to do anything because they don't run
with admin rights.

Is there any reason to run these commands on clients?
Click to expand...


In addition to Tom and Richard's responses, you should consider to
synchronize your PDCE of your single domain with an NTP time server. That
is the only machine which needs to connect to an external time source as all
domain clients synch their time with the PDCE.
 
Todd J. Heron, MCSE
Windows NT, 2000, 2003
Click to expand...

There's a name I haven't seen in a while...!

ZZZT!


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Richard G. Harper said:
In Active Directory, login scripts run with elevated rights; but even
so you are correct, the inclusion of the time command is generally
superfluous in the case of a domain-connected client.
Click to expand...

I thought so. Thanks to you and the others.

Your point raises a couple of other questions in me.

Are rights elevated in the same way whether the login script is assigned to
users by a GPO or by the user account properties?

Which specific rights are elevated? I can't find a reference that lists
them.
 
Todd J. Heron said:
In addition to Tom and Richard's responses, you should consider to
synchronize your PDCE of your single domain with an NTP time server.
That is the only machine which needs to connect to an external time
source as all domain clients synch their time with the PDCE.
Click to expand...

Yes. I believe SBS sets that up automatically but plain Windows Server
doesn't.

That would be with the net time /setsntp command with the time service
stopped, right?
 
Phillip Windell said:
There's a name I haven't seen in a while...!

ZZZT!
Click to expand...

Yeah, haven't been hanging out much in the last couple of years. Phil, your
comment made me remeber one of your standard colloquialisms from yesteryear
(circa 2002):

"Proxy Server doesn't do U-turns"...

:)
 
Tom Del Rosso said:
Yes. I believe SBS sets that up automatically but plain Windows Server
doesn't.

That would be with the net time /setsntp command with the time service
stopped, right?
Click to expand...

net time \\ServerName /setsntp:TimeSource

(note: my testing worked with the time service both stopped and running)
 
1. All login scripts assigned by GPO, or by the local security policies,
run with Administrator rights. The logon script, and all processes it
spawns, run with Administrative rights. I don't know about the user account
script assignment as I never saw the need to assign scripts on a per-user
basis on individual computers; only per computer, or using Active Directory.

2. See #1. The logon script runs as Administrator and any processes it
spawns while running get the same. This doesn't change the user's rights,
only the logon script gets the elevation. Anything the user might do while
the script is running is done in the user's context and with the user's
rights.
 
Yeah, haven't been hanging out much in the last couple of years. Phil,
your comment made me remeber one of your standard colloquialisms from
yesteryear (circa 2002):

"Proxy Server doesn't do U-turns"...
Click to expand...

I still use a modification of that one becuase it is a bad idea to try to do
it with ISA too,...although it is possible in some cases to do it with ISA.

:-)

Good to see ya around.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Back
Top