Time on a domain

[sidewinder]

I do realise that time is vitally important on a domain for Kerberos tickets, but I always thought it sort of configured itself.

However for the last few days Ive been having quite a lot of event log errors and warnings on my DC's. They have been in place since christmas and this is the first ive seen of the errors.

First one, that appears pretty much throughout the day is:

Code:

Event Source:	W32Time

Description:
The time provider NtpServer encountered an error while digitally signing the  NTP response.  NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: The specified user does not exist. (0x80070525)

From what I've read on the net this comes from a machine trying to synchronize time but isnt joined to the domain properly or something

The other error I get (this is more rare, happened 3 times this week)

Code:

Event Source:	Kerberos
Event ID:	4

Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server DT-E7-04$.  The target name used was cifs/LT-SIXTH-13.xxx.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (xxx.LOCAL), and the client realm.   Please contact your system administrator.

Now this just completely confuses me. Why does that client think it is a time server?
Every time this happens it seems to be 2 totally different machines, unrelated to each other.

Now how do you set up time properly? Ive synched my DC's to the LEA time server, but its only the PDC emulator thats responsible for time isnt it?

Also, how do I configure clients? Currently they are just pointing to time.windows.com. Should they point to the PDCE? And should this set through DHCP?

[Geoff]

For the first one, turn on the debugging.

http://support.microsoft.com/default...;en-us;M816043

For the second one, try running netdiag on the client machine and see if that reveals any problems.

[sidewinder]

Thanks, cannot get debugging to work though
Ive followed the instructions to the letter, including location of log file, but there have been a few events logged and no sign of any file appearing yet

[Geoff]

You might have to wait a while. Time synchronisation occurs sparingly.

[sidewinder]

Still nothing, yet there has been 13 w32time events logged since yesterday
Id wager that it isnt working
Wonder why

[Geoff]

You can specify client/server Time settings in GPOs if required.

[sidewinder]

very weird, there hasnt been a single error this morning or all weekend
maybe it is a client pc causing it

Geoff whats the 'correct' way to set up time settings, servers etc? When I say correct, I mean how do you do it?
Or should it be the sort of thing that should look after itself unless you get any problems

[Geoff]

You can be lazy and just run this on each of your DCs:

Code:

net time /setsntp:ntp.yourisp.co.uk

However once you start to have a few it can get annoying. Your better off having a GPO that sets the time settings for DCs.

On clients (including member servers), the defaults should just 'work'. ie, the machines will sync to your DC(s) clock(s). You can manually specify the situation with GPOs or on the command line of course.

If your DCs have wrong/different clocks or timezone settings, hilarity will ensue.

[apeo]

Ive been have a time problem for a while now.. some unknown reason i cant sync with our lea and im still waiting for them to get back to me. Is there anything that i need to check on my end?

[ICTNUT]

If you have a firewall check that port 123 (TCp & UDP) and is open, this is the port that ntp sends and receives requests on. If this is blocked you have no cahnce of syncing with the lea.

[apeo]

Best i can tell it wont be blocked on our end.