SNTP Service

Frequently Asked Questions

The registration key you sent me doesn't work, why?

Please see the General FAQ webpage for the answer.

I installed the SNTP service on my NT terminal server but the SNTP control panel does not appear in the control panel!

Some customers have found that if the server is put into 'install mode' prior to starting the installation, the control panel applet is incorrectly installed. Leave the server in 'execute mode' then run the installation and the control panel applet will be correctly installed.

There are a couple of alternate ways to start the control panel applet.

• From then command line enter: CONTROL SNTPSERV.CPL
• Open a folder window at c:\wtsrv\system32 double click the sntpserv.cpl file icon.

Can the SNTP Service coexist with the W32Time service?

It is possible to start W32Time without conflict but the synchronization functions of W32Time must be turned off. This avoids problems with applications that require the W32Time service (ie. Cluster Server or Domain Controllers). The synchronization functions continue to be implemented by the SNTP Service. Normally the Windows Time service startup can be disabled when SNTP Service is running except if the system is running Cluster Service or is a Domain Controller.

The SNTP Service will automatically adjust the appropriate W32Time registry entries at install time if it detects that Cluster Services are present. After installing on a Domain Controller (DC) you can use the SNTP Service control panel applet to disable W32Time time synchronization functions. In either case you should disable the SNTP Service server function. After doing this you must restart both the W32Time service and the SNTP Service.

Do not use the NET TIME /setsntp command on a system that is running both the SNTP Service and the W32Time service, since it will automatically re-enable W32Time clock synchronization functions.

After following these procedures on Domain Controllers or Cluster Servers please check the SYSTEM\CurrentControlSet\Services\W32Time\Parameters TYPE variable in the system registry to make sure it is set to NOSYNC

Under 64-bit versions of Vista why doesn't the SNTP Service control applet not show up in the control panel?

64-bit versions of Windows Vista will not display 32-bit applets by default. To see them choose the 'Control panel Home' options, then 'Additional Options', then '32-bit applications'.

Under Vista why do I get an access denied error trying to use the control panel applet to provision a remote system?

The SNTP control panel applet uses the Windows Management Interface (WMI) to provision remote systems.

   Windows Firewall Settings

Starting with Windows Vista, WMI settings for Windows Firewall settings enable only WMI connections, rather than other DCOM applications as well. The exception for WMI allows WMI to receive remote connections and asynchronous callbacks. You can enable or disable WMI traffic through the Windows Firewall UI.

To enable or disable WMI traffic using firewall UI

1. In the Control Panel, click Security and then click Windows Firewall.
2. Click Change Settings and then click the Exceptions tab.
3. In the Exceptions window, select the check box for Windows Management Instrumentation (WMI) to enable WMI traffic through the firewall. To disable WMI traffic, clear the check box.

   User Account Control and WMI

User Account Control (UAC) affects the WMI data that is returned to clients, remote access, and how clients must run.

Under UAC, accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges. Whether you are connecting to a remote computer in a domain or in a workgroup determines whether UAC filtering occurs. If your computer is part of a domain, connect to the target computer using a domain account that is in the local Administrators group of the remote computer. Then UAC access token filtering will not affect the domain accounts in the local Administrators group. Do not use a local, non domain account on the remote computer, even if the account is in the Administrators group.

In a workgroup, the account connecting to the remote computer is a local user on that computer. Even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user. A best practice is to create a dedicated local user group or user account on the target computer specifically for remote connections.

The security must be adjusted to be able to use this account because the account never has had administrative privileges. Give the local user:

• Remote launch and activate rights to access DCOM.
• Rights to access the WMI namespace remotely (Remote Enable).
• Right to access the specific securable object, in this case the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Dillobits\SNTPServ.

Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup. The registry entry is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy. When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled. UAC Effect on WMI Data Returned to Scripts or Applications

If your question was not answered here, please check the General FAQ webpage.