Time server for mixed domain/workgroup environment

[Guest]

Good morning.

I'm a system administrator for a site with a Windows 2003 file server, and
approx. 200 Windows XP workstations. The server and a handful of
workstations are joined to a corporate domain which covers all of our
offices, while the majority of the workstations are in a workgroup for our
office (and thus, cannot synchronize their time with the domain controller).
What's more, our corporate firewall prevents the machines on our WAN from
contacting time.windows.com without being authenticated. I'd like for the
workstations that are not in the domain to be able to synchronize the time
with our local file server, which synchronizes its time from the domain
controller.

I've set up our server according to the directions in KB314054, but once
this is done, it can no longer synchronize with the domain controller.
Changing the "Type" value at registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ back
to "NT5DS" allows it to synchronize with the domain controller, but then the
workstations cannot synchronize with it. So, I'm in a bit of a Catch-22.

How can I get my workstations to synchronize with my file server without
disabling the ability of my file server to synchronize with the domain
controller?

 

[Lanwench [MVP - Exchange]]

Good morning.

I'm a system administrator for a site with a Windows 2003 file
server, and approx. 200 Windows XP workstations. The server and a
handful of workstations are joined to a corporate domain which covers
all of our offices, while the majority of the workstations are in a
workgroup for our office (and thus, cannot synchronize their time
with the domain controller).

What's the reason for that, if I might ask? That sounds like quite an
administrative nightmare.

What's more, our corporate firewall
prevents the machines on our WAN from contacting time.windows.com
without being authenticated. I'd like for the workstations that are
not in the domain to be able to synchronize the time with our local
file server, which synchronizes its time from the domain controller.

That should work fine, AFAIK

I've set up our server according to the directions in KB314054, but
once this is done, it can no longer synchronize with the domain
controller. Changing the "Type" value at registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\
back to "NT5DS" allows it to synchronize with the domain controller,
Good.

but then the workstations cannot synchronize with it. So, I'm in a
bit of a Catch-22.

How can I get my workstations to synchronize with my file server
without disabling the ability of my file server to synchronize with
the domain controller?

What happens when you run the following on the workstations (as an admin):

net time /setsntp:FILESERVERNAME

?

 

[Guest]

What's the reason for that, if I might ask? That sounds like quite an
administrative nightmare.

Honestly, I'm not quite sure of the reasons behind it myself, as I'm new in
the department. As I understand it, it has something to do with the head
office's security policies on the domain, specifically that most of the
employees using the workstations log in under the same user name, which is a
big no-no for a domain account.

What happens when you run the following on the workstations (as an admin):

net time /setsntp:FILESERVERNAME

Doing that, then stopping and restarting the w32time service, seems to have
done the trick in allowing them to synchronize properly. So, thanks for
solving the problem.

I am kind of curious, though, as to why the net time command worked, but the
command set mentioned in the knowledge base:

w32tm /config /manualpeerlist:10.20.88.64 /syncfromflags:manual
w32tm /config /update

seems to only work if the server's not in the domain, as does setting the
windows time server manually in the Date/Time control panel. But hey, I
won't look the gift horse in the mouth.