Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
sever & client clocks do not match
- Thread starter defosset
- Start date
I've seen a combination of these two cause time sync to fail.
that is not the correct command to use for systems at win2000 level or above...
that is legacy commadn from nt4 days,...
need to use either w32tm or net time /setsntp:<PDCe name>
the PDCe should be pointing to an external time source, for example a PDCe on the east coast:
net time /setsntp:tick.usno.navy.mil
-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there
that is legacy commadn from nt4 days,...
need to use either w32tm or net time /setsntp:<PDCe name>
the PDCe should be pointing to an external time source, for example a PDCe on the east coast:
net time /setsntp:tick.usno.navy.mil
-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there
On the clients that are not syncing time, there should be messages in the event log for the time service. I don't remember the error number but I recently tracked one down to a problem of having a domain controller and an external time source both configured in the list of time sources. The error message in the event log said that the signature was missing from the domain controller.
Found what I was looking for in previous post:
Event ID 27 (warning)
Time Provider NtpClient: The response received from domain controller %1 is missing the signature. The response may have been tampered with and will be ignored.
Search on MS support does not produce results but it does come up in the "Help and Support Center".
Default Windows install puts time.windows.com in the manual time source list so you should not add your domain controller to the list also. (or should remove time.windows.com)
Event ID 27 (warning)
Time Provider NtpClient: The response received from domain controller %1 is missing the signature. The response may have been tampered with and will be ignored.
Search on MS support does not produce results but it does come up in the "Help and Support Center".
Code:
Explanation
Your computer should be a member of a domain, and any responses from the domain controller should be signed (authenticated) by the domain controller. This event can indicate a security situation or that your computer is part of a domain and your account was deleted.
The cause might be one of the following:
A domain controller has been configured as a manual time source.
The computer is synchronizing with both a manual time source and a domain time source (type=AllSync) where one or more domain controllers in the domain is configured as the manual time source.
User Action
Do one or all of the following:
Verify with an Administrator that this computer account is valid in Active Directory.
Verify that no domain controllers are present in the manual time source list.
Configure an alternative manual time source. If your computer is part of a domain, then it should get its time source from the domain controller. The configuration can be modified by using the w32tm command line tool and manipulating the syncfromflags option.Default Windows install puts time.windows.com in the manual time source list so you should not add your domain controller to the list also. (or should remove time.windows.com)
using teh setsntp switch for net time replaces the entries for time.windows.com
typically, the only way to get multiple time sources is to include a comma seperated list in a command to specify time servers, whether it be w32tm or net time...
manually changing the time source using setsntp is NOT a problem on any domain members at all, unless they cannot get to the time source over 123 UDP...
the help and supprot center needs changed to reflect current information (in fact if I have time I'll put in for a change today...unfortunately that means I will have to debug w32time and write the correct content...unless they are nice today and do it instead)
that event ID 27 could easily be caused by a mismatch of requiresecuritysignature settings and/or kerberos issues.
by default, time.windows.com is listed, but it is not used...w32time performs a domain discovery process to check for time server advertisement...first attempting to sync time with PDCe, then moving on to any other DC in random order to attempt to sync with them if a failure occurs syncing to PDCe
97 out of 100 times, net time /setsntp:<PDCe name> corrects time sync issues
however you need to look into the security settings given from policy...I suspect a mismatch in there somewhere....
-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there
typically, the only way to get multiple time sources is to include a comma seperated list in a command to specify time servers, whether it be w32tm or net time...
manually changing the time source using setsntp is NOT a problem on any domain members at all, unless they cannot get to the time source over 123 UDP...
the help and supprot center needs changed to reflect current information (in fact if I have time I'll put in for a change today...unfortunately that means I will have to debug w32time and write the correct content...unless they are nice today and do it instead)
that event ID 27 could easily be caused by a mismatch of requiresecuritysignature settings and/or kerberos issues.
by default, time.windows.com is listed, but it is not used...w32time performs a domain discovery process to check for time server advertisement...first attempting to sync time with PDCe, then moving on to any other DC in random order to attempt to sync with them if a failure occurs syncing to PDCe
97 out of 100 times, net time /setsntp:<PDCe name> corrects time sync issues
however you need to look into the security settings given from policy...I suspect a mismatch in there somewhere....
-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question