A computer running Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x shows "Disabled - Time out of sync" in Symantec System Center

Close X

Please note that this document is a translation. It is possible that updates have been made to the original version after this document was translated and published. Symantec does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledgebase article for up to date information.

Article:TECH119514  |  Created: 2005-01-13  |  Updated: 2010-11-04  |  Article URL http://www.symantec.com/docs/TECH119514
Article Type
Technical Solution

Issue



You notice that one or more computers running Symantec Client Security 3.x or Symantec AntiVirus Corporate Edition 10.x show the message "Disabled - Time out of sync" in Symantec System Center (SSC) console.

 


Solution



 


Before you begin: In some cases, you can fix the problem by clicking Tools > Discovery Service > Clear Cache Now in Symantec System Center. If the problem persists after you clear the cache, follow the steps in this document.
 




This message means that the computer is no longer authorized to communicate with its parent server. Auto-Protect is still enabled on the computer, and it can receive virus definitions using LiveUpdate.

By default, the system clocks of all management console computers, servers, and clients must be within the default of 24 hours plus or minus of the system time on the primary management server. If this time requirement is not met, servers and clients will not authenticate the Symantec System Center user who is logged on and communications will fail. Note that time synchronization includes time zones. In other words, 3 PM Pacific Standard Time is synchronized with 6 PM Eastern Standard Time.
For details, read the document About login certificates in Symantec Client Security 3.x and Symantec AntiVirus Corporate Edition 10.x.

To check the certificate validity time on a client

  1. Start Windows Explorer.
  2. Go to the Symantec AntiVirus program folder.
    The default location is <OS Drive>\Program Files\Symantec Client Security\Symantec AntiVirus.
  3. Open the \pki\roots folder.
  4. Double-click the xxx.x.servergroupca.cer file.
  5. On the General tab, look at the date range next to Valid from.
  6. Click OK.


To check the certificate validity time on a server

  1. Start Windows Explorer.
  2. Go to the Symantec AntiVirus program folder.
    The default path is one of the following:
    • On a Symantec AntiVirus Corporate Edition server, the default path is :<OS Drive>\Program Files\SAV.
    • On a Symantec Client Security server, the default path is :<OS Drive>\Program Files\SAV\Symantec AntiVirus.

      For help with this, follow the directions in the "To find the Symantec AntiVirus program folder" section in the Technical Information section of this document.
  3. Open the \pki\roots folder.
  4. Double-click the xxx.x.servergroupca.cer file.
  5. On the General tab, look at the date range next to Valid from.
  6. Click OK.


Fixing out-of-sync time on a client
Correct the time on the client and restart the Symantec AntiVirus service.

Fixing out-of-sync time on a server
If you installed a Symantec Client Security or Symantec AntiVirus server when the system time was incorrect, the certificates created for that machine will be set to the incorrect time.
Follow the directions that apply to your situation:

  • If the time was incorrect by up to a year in the past, change the time and restart the server.
  • If the time was incorrect by more than a year in the past, uninstall and reinstall the Symantec Client Security or Symantec AntiVirus server.
  • If the time was incorrect by less than a day in the future, change the time and restart the server.
  • If the time was incorrect by more than a day in the future, uninstall and reinstall the Symantec Client Security or Symantec AntiVirus server, or delay deployment of clients and/or secondary servers until the server certificates are valid.
    For example, if the server date was set to March 12, 2006, when the correct date is March 2, 2006, you could simply wait until March 12 (March 22 on the server clock) before resetting the time. In the meantime, you will not be able to deploy new clients or make configuration changes. However, the server will still be able to manage legacy clients, which are not time-dependent.


If the problem persists on a primary server, corrupted certificate information may be the cause. In these cases, you can fix the problem by moving that server to a new server group.

To fix the problem on a primary server

  1. In Symantec System Center, right-click System Hierarchy, and then click New > Server Group.
  2. Type a name for the new server group.
  3. Type a user name for the new server group's administrator, and then type the password that you want for that account.
  4. Click OK.
  5. Drag the affected primary server into the new server group.
  6. After the server appears in the new server group, right-click the server and then click Make Server a Primary Server.
  7. Drag any other servers from the old server group into the new server group.






Technical Information
To find the Symantec AntiVirus program folder

  1. On the Windows taskbar, click Start > Run.
  2. In the Run dialog box, type the following:

    cmd
  3. Click OK.
  4. At the command prompt, type the following:

    net share
     
  5. Under Share name, find the VPHOME listing.
    The folder listed in the Resource column is the Symantec AntiVirus program folder and contains the pki folder.


Legacy ID



2005041313132348


Article URL http://www.symantec.com/docs/TECH119514


Terms of use for this information are found in Legal Notices