How Can I set a Domain to a Previous Date and Time?
Question: I want to change the time on a windows domain to set it back to being a few months in the past without any chance of override
Before commencing any of this you must disable Time Sychronization with the Hyper-V host:
Firstly , the reason I might want to do this is to use an old piece of software to interrogate some historical data on a system where a license has expired and there is no possibility to get a new one because the vendor has disappeared or the existing company is insolvent or liquidated.
Bear in mind:
Changing the time on a Windows domain to a date in the past is a tricky and potentially risky task, as it can have significant impacts on Active Directory, Kerberos authentication, file replication, and other time-sensitive services. By default, Windows domains use the Windows Time service (W32Time) to synchronize time across all machines, and Active Directory enforces time synchronization between domain controllers and member machines.
If you're absolutely certain you need to change the domain time back a few months, here’s a general overview of the steps you would take. However, be cautious, as this could lead to issues with Kerberos ticketing, replication, and even system corruption. Here’s how to proceed:
1. Change the PDC Emulator's Time
The Primary Domain Controller (PDC) Emulator is the authoritative time source for the entire domain. You need to adjust the time on the PDC Emulator first. The PDC typically synchronizes its time from an external source (like the internet), so you will need to disable time synchronization before changing the time.
Steps:
-
Log into the PDC Emulator:
- Identify which Domain Controller is the PDC Emulator using the following command:
netdom query fsmo
- Log in to that Domain Controller.
-
Disable Time Synchronization: To prevent the PDC from synchronizing time with external sources:
-
Stop the Windows Time Service:
- Stop the time service to prevent it from overriding the time:
net stop w32time
-
Change the System Time:
- Change the system time to the desired date using the following command:
date MM-DD-YYYY
Or, set the time directly via Control Panel > Date and Time.
-
Restart the Windows Time Service:
- Start the time service again:
net start w32time
-
Set PDC as Authoritative: You need to make the PDC the authoritative time source for the rest of the domain:
w32tm /config /reliable:YES
w32tm /resync /rediscover
2. Ensure Domain Controllers Sync with the PDC Emulator
You want all other Domain Controllers (DCs) to sync with the PDC Emulator's time.
Steps:
- Log into each Domain Controller (other than the PDC Emulator).
- Resync with the PDC Emulator: Run the following command to force them to sync with the PDC:
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync
3. Ensure Domain Members Sync with the PDC Emulator
Ensure that all other domain members (servers, workstations) sync with the updated time from the PDC Emulator.
Steps:
- Log into a Domain Member.
- Force Time Resync: Run the following command:
w32tm /resync
You may need to repeat this process for all domain member machines to ensure they sync correctly with the new domain time.
4. Disable Time Sync via Group Policy (Optional)
To prevent machines from synchronizing with external NTP servers or overriding the manual time setting, you can disable time synchronization using Group Policy.
- Open Group Policy Management Console (GPMC) on the PDC.
- Edit the Default Domain Policy (or create a new policy).
- Navigate to:
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.
- Disable
Enable Windows NTP Client.
- Apply the policy and force it to update across the domain:
gpupdate /force
5. Verify Time Change
After completing the above steps, verify that the time change is reflected across all domain controllers and member machines. Use the following command on each machine to check the current time:
w32tm /query /status
Important Considerations:
- Kerberos Authentication: Kerberos tickets are time-sensitive and expect the time to be within 5 minutes of the DC's time. By going back a few months, you might break authentication and cause login failures. This could disrupt all services using Active Directory authentication.
- File Replication Issues: Active Directory and DFS Replication use timestamps to track changes. Rolling back time could cause replication issues, resulting in data loss or corruption.
- Certificate Validity: Any services using certificates could fail because certificates have validity periods that depend on time.
- Event Logs: Going back in time may make it difficult to track events properly due to mismatched timestamps.
Recommendations:
- Backup First: Make sure to back up all critical data and system states before making these changes.
- Test in a Lab Environment: If possible, test this process in a controlled environment to see the potential impact before applying it in production.
As Soon as I Restart the Service it reverts to Today's Date
When you restart the Windows Time service (w32time), it defaults to syncing with the system's authoritative time source, which can cause it to revert to today's date. To successfully change the time to a past date without it reverting, you'll need to ensure that:
- Time Synchronization is Fully Disabled: The time service and all potential external sources are disabled or blocked from syncing.
- The Domain Controller Does Not Attempt to Resync: By default, domain controllers try to resync their time from external sources (such as the PDC emulator, external NTP servers, etc.).
Here’s a refined approach to prevent the time from reverting:
1. Disable External Time Sync Completely on the PDC Emulator
To stop the server from reverting to the current time, ensure all time synchronization options are disabled.
Steps:
-
Disable External NTP Servers:
-
Disable Time Synchronization in Group Policy (Optional but recommended):
- Open Group Policy Management Console on the PDC.
- Go to Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.
- Set Enable Windows NTP Client to Disabled.
-
Stop the Windows Time Service: To prevent the service from reverting the time:
net stop w32time
2. Change the Date to the Past
With the time service disabled, manually change the date:
date MM-DD-YYYY
time HH:MM:SS
3. Prevent Automatic Resync and Make PDC Authoritative
To ensure that the server does not revert back to today's date once the service restarts, you need to configure the PDC to be the authoritative time source for the entire domain, but without allowing it to sync externally.
Steps:
-
Configure the PDC as the Authoritative Time Source:
w32tm /config /manualpeerlist:"" /syncfromflags:manual /reliable:YES /update
This command tells the PDC to become the authoritative time source for the domain, but without syncing from an external NTP source.
-
Restart the Time Service Without Reverting: Now restart the Windows Time service:
net start w32time
By setting the PDC as the authoritative source and disabling external synchronization, this prevents the time from reverting to today’s date.
4. Verify Settings
Check that the PDC emulator is now set as the reliable time source and that no external sync is happening:
w32tm /query /status
Look for:
- Source: Should show as
Local CMOS Clock or Free Running System Clock.
- Stratum: Should be 1 (indicating it is authoritative).
5. Prevent Domain Members from Reverting the Time
Domain members and other Domain Controllers will try to sync with the PDC Emulator for time updates, so ensure that they don't override the past time.
On the other Domain Controllers and member machines:
-
Force Sync from the PDC Emulator:
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync
-
Disable Time Sync with External NTP: Run this command to prevent member machines from syncing with any external time servers:
w32tm /config /manualpeerlist:"" /syncfromflags:manual /update
6. Monitor and Verify
Monitor the domain for any issues that may arise from time changes, including Kerberos authentication problems, replication failures, or certificate issues.
The PDC says Primary Reference - 'syncd by radio clock'
The message "Primary reference - synced by radio clock" means that the Windows Time service (w32time) is still configured to synchronize with an external time source (typically an NTP server or another time source, like a GPS or radio clock). This could be why the time keeps reverting to today's date when you restart the service.
Here’s how to ensure the Windows Time service on your PDC Emulator (or the server in question) does not sync with any external time sources:
1. Disable External Time Synchronization
Run the following commands to completely disable any external time sources:
w32tm /config /syncfromflags:no /update
w32tm /config /manualpeerlist:"" /syncfromflags:manual /update
This tells Windows Time to stop syncing from any external time source. The second command clears any previously configured external time sources.
2. Force the PDC to Use Its Local Clock
To ensure the PDC is using its own local clock and not any external source, set it to be the authoritative time source (reliable time server):
w32tm /config /reliable:YES /update
This tells the PDC to rely solely on its local clock and not attempt to sync with any other servers.
3. Stop and Restart the Windows Time Service
To apply these changes and stop any ongoing synchronization, restart the Windows Time service:
net stop w32time
net start w32time
4. Check the Time Source
Now verify that the time source has been updated to use the local clock:
w32tm /query /status
You should see:
- Source:
Local CMOS Clock (or similar) indicating it is now using the internal clock.
- Stratum: It should be Stratum 1, indicating that the server is now an authoritative time source.
If it still shows something like "synced by radio clock" or any external source, then the manual peer list or flags might not have been correctly updated.
5. Verify and Synchronize Domain Controllers and Members
Now that the PDC is set as the authoritative source and using its local clock, ensure that other domain controllers and member machines synchronize with the PDC by running:
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync
This will make them sync with the domain hierarchy, starting with the PDC Emulator.
Additional Troubleshooting Steps:
-
Clear Windows Time Configuration: If the time service keeps reverting to an external source, you may want to reset the time service configuration:
w32tm /unregister
w32tm /register
This will reset the Windows Time service to its default state. After that, run the commands to reconfigure it as the authoritative time source without external sync.
In Practice
We usually find that one you have set the PDC the other machines all have to be set using the 'DATE MM-DD-YYYY' command and then synced with the PDC using the old style 'net time /set /y' command and that this should be done after all of the machines have been unsynced with an external source as described above. Do not restart the service as this will bring the system back to today's date.
Once you have done this on all of the machines and restarted and database and app services you may need to, start up your software and see if it is convinced by the date. This often works as finance systems depend on the date and so do not bother addressing people changing the date to before the license as all of their entries would become useless. Pause the machines when you are not using them and keep them alive on the correct date without having to do all of this again the next week. This way you can stretch out the usefulness of your app. Once you have finished interrogating, shut it down. You will have to do all of this again if you forgot to check anything though.