I do realise that time is vitally important on a domain for Kerberos tickets, but I always thought it sort of configured itself.
However for the last few days Ive been having quite a lot of event log errors and warnings on my DC's. They have been in place since christmas and this is the first ive seen of the errors.
First one, that appears pretty much throughout the day is:
From what I've read on the net this comes from a machine trying to synchronize time but isnt joined to the domain properly or something
Event Source: W32Time
The time provider NtpServer encountered an error while digitally signing the NTP response. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: The specified user does not exist. (0x80070525)
The other error I get (this is more rare, happened 3 times this week)
Now this just completely confuses me. Why does that client think it is a time server?
Event Source: Kerberos
Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server DT-E7-04$. The target name used was cifs/LT-SIXTH-13.xxx.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (xxx.LOCAL), and the client realm. Please contact your system administrator.
Every time this happens it seems to be 2 totally different machines, unrelated to each other.
Now how do you set up time properly? Ive synched my DC's to the LEA time server, but its only the PDC emulator thats responsible for time isnt it?
Also, how do I configure clients? Currently they are just pointing to time.windows.com. Should they point to the PDCE? And should this set through DHCP?