In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication. By default, if the time difference between systems is off by more than five minutes, network login and authentication fails. I am not sure if anyone has ran into this problem or not. There seems to be various reasons for time sync problems, but I found this an odd problem\solution. Recently, as part of the move off of Windows Server 2003 domain controllers, I had to move the FSMO roles from our 2003 DC’s to 2008. The 2003 server was set to sync its time, and therefore the domain, against a Cisco switch. I made a screen capture of the current settings as shown below:
As per a number of Microsoft Knowledge Base articles, I manually configured the new time servers via the command line with the following command:
W32tm /config /manualpeerlist: /syncfromflags:manual /reliable:yes /update
Net stop w32time
Net start w32time
However, two days later, I receive a call about authentication problems. It seems the time on all of the systems was off by 20 minutes, even the time on the new PDC Emulator. When running the command:
w32tm /query /status
the server indicated it was performing its synchronization from the local CMOS clock.
Since this server was running in a virtual environment, my first thought was to verify it was not syncing against the host, which is was not. Next, I checked the configuration via the command line, which also indicated it was receiving the information from the local CMOS clock.
Pretty much the entire company had now been down for nearly three hours while we tried to resolve this problem. Myself and my co-workers had probably read every article on setting the NTP time server on a PDC emulator, reviewed various other articles on sync problems, yet nothing we tried seemed to force the server to sync with our NTP server. I decided to open a Microsoft support case. Once connected via a web session, he reviewed the settings on both servers. There was one attributed that he noted needed to be changed. In the registry setting located at HKLM-SYSTEM-CurrentControl
s there is a setting called “Type”. By default, this is set to NT5DS. He referred me to the Microsoft KB 816042 “How to configure an authoritative time server in Windows Server” (https://support.microsoft.com/en-us/kb/816042
). This article explains that the setting NT5DS needs to be change to NTP, which was a setting in the previous 2003 server, but since nothing I had read indicated this needing to be change, I left it with the default value. I changed the registry key, stopped and started the W32time service, then checked the status. Now, the status showed the IP address of the NTP server in the “ReferenceID” line. I have blacked it out in the screen shot below. However, if you refer to the first query screen shot shown previously, you will see it showed the source as “LOCL”.
The question is why did we not find any reference to changing the default NT5DS. A coworker started to look deeper into that setting. He did locate Microsoft KB 223184, which was for Windows Server 2000 (https://support.microsoft.com/en-us/kb/223184
). This provides the following information on this registry entry:
Type : REG_SZ
Used to control how a computer synchronizes.
= synchronize to domain hierarchy [default]
= synchronize to manually configured source
NoSync = do not synchronize time
Also, you may have notices in the first screen shot that besides the IP address for the NTP server there was an entry of “0x8”. This needs to be added to have the server send the request as a client. This is explained in Microsoft KB 875424 (https://support.microsoft.com/en-us/kb/875424
). The settings are as follows:
- 0x1 – use special poll interval SpecialInterval
- 0x2 – UseAsFallBackOnly
- 0x4 – send request as SymmetricActive mode
- 0x8 – send request as Client Mode
Basically, in order to make the PDC emulator sync with a non-Windows, outside source, the registry entry should look like the screen shot below (real address blacked out). This will help avoid any potential domain problems due to authentication and time synchronization.
Thank you for reading my article. I hope you find it useful and that it either helps you avoide a potential time synchronization problem or helps you resovle an issue with your environment. If you found it helpful, please indicate so with the button below this article. Any feedback is appreciated.