Messing with my AD test bed, noting my primary DC (2k8) isnt advertising as a time server as it isnt synced locally. On my 2k8R2 server(secondary DC), windows time is totally off, not sure why but I think its wanting to talk to the primary about this.

Running enterprise tests on : JediCouncil.local
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
......................... JediCouncil.local failed test LocatorCheck

Executed the following with 3 ntp servers on DC1, with no luck.

W32tm /config /syncfromflags:manual /manualpeerlist:time1.com,time2.com,time3.com

I think the issue with DC2 is that it sees DC1 is wrong.

EDIT: Got DC1 fixed I think. http://support.microsoft.com/kb/816042

[Edited on February 22, 2010 at 12:30 AM. Reason : 1]

2/22/2010 12:05:11 AM

Quote :

"The server holding the PDC role is down."

there's your problem.
obviously not down, but yeah. dcdiag is your friend.

[Edited on February 22, 2010 at 12:48 AM. Reason : also, lol at jedicouncil.local]

2/22/2010 12:48:38 AM

Sorry. On the edit, that error was fixed. Im checking another one now involving it resolving DNS for time servers, but also found another. the AD PDC is bitching as this is the primary, and theres nothing above it.

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Know where PDC gets its time settings? I figured it pulled it from the DC itself, which I just told it where to find it from, but evidently not.

2/22/2010 12:53:00 AM

In my 2003 domain the pdc pulls time directly from the internet. The configuration in 2003 is the same as xp (right click the clock, properties). More detailed config is in the registry (you can add new external time hosts, change update frequency, etc...)

Not sure about 2008 tho

2/22/2010 10:02:03 AM

Ya they changed it for 2008. Its all in registry only now or with net cmd. Its funny as Win7 has it in like xp/2003 as well.

anyone know how to put in a DNS name for a ntp server to pull from? Its not liking mine and i know it sees the server, but what I put in registry it doesnt like. I saw something about tagging on 0x1 after the name, no luck.

2/22/2010 5:03:45 PM

try this on the DC you want to be the time host:

w32tm /config /syncfromflags:manual /manualpeerlist:tock.usno.navy.mil
w32tm /config /update

also make sure the outbound connection isn't being blocked by a firewall or something.

2/22/2010 5:41:45 PM

Did that, now its complaining its not synced as the source is off. How reliable is that time server, Ive never heard of it.

Ill be back, cant work on it tonight.

There is a firewall issue. Server 2 is now complaining it cant auth to server 1. Have to figure it out as well. Server 2's time issue is it is saying that w32time cant run as local service account.

[Edited on February 23, 2010 at 9:13 PM. Reason : 1]

2/23/2010 9:02:13 PM

format c:

2/23/2010 9:13:35 PM

^^ its one of the us navy's atomic clocks. If its down or wrong, we probably all have other things to worry about.

I've seen windows refuse to sync if the local system clock is too far off the actual time. Try setting the time manually to a clock you know is right (like maybe http://www.time.gov/) and then resync.

[Edited on February 23, 2010 at 9:30 PM. Reason : a]

2/23/2010 9:28:06 PM

Ah kk. Ya nukes shooting off and stuff. bad things.

Its within a minute of whats on my desktop, which is synced to one of the govt atomic clock servers.

^im about to do that to server 2 which has given me nothing but issues.

I resynced it and reconfiged it, checked regedit its there, so it took. Imma restart it to clear the logs and will report back .

2/23/2010 10:54:22 PM

Ok so the last bit fixed server 1, and it seems server 2 did just want an accurate time fix, that fixed its auth problem.

Ok now to the problem with server 2. It wont start w32tm at all saying:

Error1079: The account specified for this svc is different from the account specificed for other services running in the same process.

Did the lookup on the error, said its permissions which makes sense so I looked at them for the program but it looks good. also added it so I can run it as administrator of that machine and a few other accounts and none of that fixed it.

2/24/2010 9:19:04 AM

why does any of this actually matter?

2/24/2010 9:19:53 AM

^^ maybe check what user the Windows Time service is running as. Should be Local Service probbably.

^ When computers authenticate on a domain, if time on the client is too far off from the server, the server will refuse the client's auth. Probably has to do something with expiration dates on kerberos tickets. idk. So having time synched in your domain is important. Syncing time to an external clock is just to guarantee the time thats being synced is accurate.

To be honest though, I dont know why any of this would give you so much hassle. Unless there was too much mucking about in the registry or other attempts at configuration, the only server you should have had to alter time config on would be the PDC serving as your time host. If its a test domain, you might be better off demoting dc2, reformating, and adding it back in.

2/24/2010 9:37:00 AM

yeah i've just never seen it matter unless it was way way off

2/24/2010 10:23:01 AM

It should be as Local Service, but its not. That ive checked. Ive also tried to run it under several other accounts which fail.

THe issue here is DCs do broadcast time but also like you said sync to the PDC. This one right now because of it wont broadcast.

Im thinking at this point I might just format it and see.

2/24/2010 12:32:13 PM