Posted on 01-09-2015 07:59 AM
My clients are set up to Sync with Apple atomically for time, but they are drifting. Some Clients have 4-5 minutes in the future, some have it in the past. not sure what's going on here. If i go into settings and click update automatically off and on, it fixes it. Does anyone know how to fix the Time drift?
Posted on 01-09-2015 09:06 AM
I use this script for all our clients which fixes the problem. It's run once a week, though you could run just sudo ntpdate -u [your ntp server] by itself
#!/bin/bash
#checks box to Set time & Date automatically
sudo systemsetup -setusingnetworktime on
#set time zone
sudo systemsetup -settimezone America/New_York
#sets your ntp server
sudo systemsetup -setnetworktimeserver [your ntp server]
#updates the time against ntp server
sudo ntpdate -u [your ntp server]
exit 0
Posted on 01-09-2015 10:52 AM
Most of our clients are using Active Directory so we just set the time to the domain name (as per this blog: http://www.amsys.co.uk/2015/blog/setting-network-time-server-command-line/).
Time drifting around isn't something I have seen for a while (I could just not have noticed though!). Is there anything nt. error related in the system logs?
Posted on 01-09-2015 10:56 AM
I've also some posts on NTP: https://macmule.com/?s=NTP&submit=Search
@davidacland, I'm not trolling fella.. Honest!!
Posted on 01-09-2015 10:58 AM
Posted on 01-09-2015 11:06 AM
Wait, what?
Posted on 01-09-2015 11:18 AM
Must respectfully disagree @davidacland as not all domain controllers are configured to implement NTP as a service. If that's not in place, your time will drift.
@bthomason Is your place allowing NTP broadcast information (UDP) on port 123 through your firewall? If you're reliant on things like AD login and thus the time not being more than five minutes out, then you should think about directing your clients to an internal NTP server.
Posted on 01-09-2015 01:42 PM
Very true, if possible its best to be specific and use a known and reachable ntp server.
I haven't come across a domain controller in the last few years that isn't providing an ntp service.
Posted on 01-09-2015 01:49 PM
Well @franton & @davidacland, one of the posts I linked would show you where your DC's are getting time from.. Internal or external.
Posted on 01-09-2015 01:52 PM
To be fair, the original blog was a very simple 'this is how you set your Mac NTP in a script' with a bonus that in some cases you can just use the domain rather than a specific serve.
Posted on 01-09-2015 02:41 PM
The issue I see frequently is NTP is blocked at the firewall.
You can set the time server to your local Active Directory Domain Controller. But what happens when the computer leaves that network, and it cannot reach back in to sync time.
Considering most MacBooks are truly mobile devices this can be a big problem.
This script uses four Casper parameters.
$4=TimeZone - currently set to New York
$5i=nternalTime - currently set to time.apple.com - Set it to your internal time server.
$6=externalTime - currently set to time.apple.com
$7=EnableAutoTimeZone - currently enabled
This script can be used in a Configuration with hard coded variables, or in a Policy with Casper Parameters.
Be sure to set the script priority to run at reboot.
#!/bin/bash
####################################################################################################
#
# DESCRIPTION
# The purpose of this script is to configure the Time Zone and Time Servers.
#
# When used in a build configuration the script priority must be set to: At Reboot
#
# SYNOPSIS
# sudo Configure_Time.sh
# sudo Configure_Time.sh <mountPoint> <computerName> <currentUsername> <TimeZone> <internalTime> <externalTime> <EnableAutoTimeZone>
#
# If the <EnableAutoTimeZone> parameter to "yes" Location Services will be enabled
# and the time zone will be set automatically using current location.
#
# DESCRIPTION
#
# Use "-listtimezones" to list time zones
#
#
####################################################################################################
#
# HISTORY
#
# Version: 2.0
#
# Date: 12-22-2014
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################
#
/bin/echo "Running Configure_Time.sh" >>/var/log/jamf.log
# OS X Version
sw_vers_Full=`/usr/bin/sw_vers -productVersion`
sw_vers_Major=`/usr/bin/sw_vers -productVersion | /usr/bin/cut -d. -f 1,2`
sw_vers_MajorNumber=`/usr/bin/sw_vers -productVersion | /usr/bin/cut -d. -f 2`
# Casper Environmental Positional Variables.
# $1 Mount Point
# $2 Computer Name
# $3 Current User Name - This can only be used with policies triggered by login or logout.
# Declare the Enviromental Positional Variables so the can be used in function calls.
mountPoint=$1
computerName=$2
username=$3
currentuser=`/bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4`
#
# HARDCODED VALUE FOR "TimeZone" IS SET HERE
# Use "/usr/sbin/systemsetup -listtimezones" to see a list of available list time zones.
TimeZone="America/New_York"
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "TimeZone"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$4" != "" ];then
TimeZone=$4
fi
#
# HARDCODED VALUE FOR "TimeServers" IS SET HERE
internalTime="time.apple.com"
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 5 AND, IF SO, ASSIGN TO "internalTime"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$5" != "" ];then
internalTime=$5
fi
externalTime="time.apple.com"
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 6 AND, IF SO, ASSIGN TO "externalTime"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$6" != "" ];then
externalTime=$6
fi
#
# HARDCODED VALUE FOR "EnableAutoTimeZone" IS SET HERE
# set to yes or no
EnableAutoTimeZone="yes"
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 6 AND, IF SO, ASSIGN TO "EnableAutoTimeZone"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$7" != "" ];then
EnableAutoTimeZone=$7
fi
#
/bin/echo ""
/bin/echo "$computerName" is running is OS X version "$sw_vers_Full"
/bin/echo "TimeZone: $TimeZone"
/bin/echo "internalTime: $internalTime"
/bin/echo "externalTime: $externalTime"
/bin/echo "EnableAutoTimeZone: $EnableAutoTimeZone"
/bin/echo ""
#
#####################################################################################################
#
# Functions to call on
#
####################################################################################################
#
### Ensure we are running this script as root ###
rootcheck () {
if [ "`/usr/bin/whoami`" != "root" ] ; then
/bin/echo "This script must be run as root or sudo."
exit 0
fi
}
###
#
####################################################################################################
#
# SCRIPT CONTENTS
#
####################################################################################################
rootcheck
/usr/sbin/systemsetup -setusingnetworktime off
#Set an initial time zone
if [ "$TimeZone" != "" ]; then
/usr/sbin/systemsetup -settimezone $TimeZone
fi
#Set specific time server
if [ "$internalTime" != "" ]; then
/usr/sbin/systemsetup -setnetworktimeserver $internalTime
fi
# set time zone automatically using current location
if [ "$EnableAutoTimeZone" = "yes" ]; then
/bin/echo "set time zone automatically using current location"
# enable location services
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.$uuid LocationServicesEnabled -int 1
/usr/sbin/chown -R _locationd:_locationd /var/db/locationd
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist
# set time zone automatically using current location
/usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool true
fi
/usr/sbin/systemsetup -setusingnetworktime on
/usr/sbin/systemsetup -gettimezone
/usr/sbin/systemsetup -getnetworktimeserver
/bin/echo server "${externalTime}" >> /private/etc/ntp.conf
exit 0
Posted on 01-09-2015 03:02 PM
Pretty neat script. It's also worth checking to see if the pacemaker daemon is running on OS 10.9 or 10.10 computers as well. Apple's really doing weird things with this proprietary bit of software, probably in an attempt at power saving which NTP was never designed for.
You can check with the following:
My-MacBook-Pro:~ franton$ sudo /usr/libexec/pacemaker -v
Password:
Jan 9 22:59:25 My-MacBook-Pro.local pacemaker[2264] <Warning>: pacemaker is not enabled on this system - unloading pacemaker and exiting
/System/Library/LaunchDaemons/com.apple.pacemaker.plist: Could not find specified service
You do NOT want to see this! How you'd fix it apart from reinstalling, i'm still working on.
Posted on 01-15-2015 06:29 AM
@franton Im not blocking NTP. My users have local accounts, Im no longer utilizing a Directory Service.
Posted on 01-17-2015 02:47 PM
@bthomason, maybe run the below on each Mac once a day? It should keeps the clients from drifting, but recorrecting it daily.
ntpdate -u time.apple.com
Posted on 02-03-2015 08:33 AM
We are still seeing this with 10.9 and 10.10
We are pointed to an internal ntp server and are seeing this even on desktops. 3-4 min drift.
If we uncheck and recheck the time server check mark it updates along with running ntpdate -u timeserver it fixes it.
Its almost like it can't update on its own.
Posted on 02-03-2015 10:27 AM
@ClassicII, on a restart or power on Macs will try & update their time.
Are these Macs on all the time?
Maybe a policy as advised above: https://jamfnation.jamfsoftware.com/discussion.html?id=12979#responseChild76675
Posted on 02-03-2015 10:34 AM
What ended up happening in my environment was our network guys blocked off access to all internet-based time servers but didn't say anything to Corp IT, so all of our Macs were drifting, to the point where they weren't binding to AD on imaging because the machine's time would be, like, December 2001 or whatever. So I ended up putting time server configuration in my First Boot script for imaging, and also pushed out a policy to all of our Macs to use our NTP first, then time.apple.com as secondary (when off-prem). Seems to have remedied our issues.
Posted on 02-03-2015 10:46 AM
@emilykausalik, another alternative would be to find the external source your domain uses.. & use that as the secondary.. just in case, just in case... https://macmule.com/2013/12/14/how-to-check-your-active-directory-domains-time/