Active Directory Time Synchronization Off Possible DNS & Exchange Connection

SKENT9735 used Ask the Experts™
For the past week I have been experiencing DNS and synchronization problems on my MS 2003

domain. I have 3 domain controllers. I have a ADC connection on my "main" DC with an

Exchange 2003 Server. Nearly all of my workstations are Windows XP SP3 with just a fluttler

of Windows 7 and Windows Vista.THe majority of my users are using Office 2008
Last week it began with I had users calling me up and telling me that they were being

prompted to enter the email password in Outlook. Normally I would have them log off and back

on and this would correct itself. This didn't work. When they logged back on they were still

be prompte for the password and Outlook was reporting that it was not connected to the

Exchange Server. Compound this with more issues. Many users were not even able to sign onto

the domain. They were getting the error that the time on their workstations were not synched

with the DNS server.
I started working on the W32Time issue and checked all the domain controller and could not

actually see any major discrepancy with the server times. It may have been off 3-4 minutes

in some instances. I checked the Exchange server and it was reporting the same time as my

domain controllers. I have had my domain controllers synching with a NTP server for the past

4 or 5 years without a problem.
I researched the DNS issue and made a few tweaks and I seem to have it working. Everything

seems to be right and I have replication working.
I researched the W32time problem and went and tweaked that line by line in the registry. I

changed the NTP server. Once I was done with that I exported the w32time part of the

regisrty and imported it into the other two domain controllers so that all domain

controllers were configured exactly the same. I am still experience a phenomanom with this.

For the past two days, my "main" DC works just fine until approximately 8:10am. Then the

date changes back one day. The time stays the same. My other two domain controller are not

experience this. I have my XP workstations synching to this machine through a logonscript.

Once I change the date, it works fine for another 24 hours. I have checked all the logs and

there is nothing in them that reflects a synchronization even occurred. The fact that the

other domain controllers is not experiencing this causes me to scratch my head.
Once thing that I have noticed in the logs of my problem domain controller I am constantly

getting an Application error every few minutes. The source is MSADC, category is LDAP

operations, and event ID is 8026."LDAP Bind was unsuccessful on directory SVR-EXCH for

distinguished name '[Domain\Administrator". Directory returned error [0x51] Server Down.

(Connection Agreement 'Public Folders: joplinmo:local - JOPLIN\City of Joplin #3932)
I checked the ADC Services and found the connectors. The small certificate icon next to

Public Folders and Users agreement seemed to be grayed out. THe only actiion it really

affords it "replicate now" but since this is the only DC with a ADC to Exchange there is

nothing to replicate.
So I am asking for Experts assistance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

I'm a bit concerned that from what you say you have multiple machines all sync'ing independantly with an external source. Only one machine should sync with an external NTP server, the PDC at the root domain, all other machines should in turn sync with this (via their own domain PDC if you have multiple domains).


I thought there was no distinction between domain controllers in a 2003 domain. Are you saying that I should just take the other two domain controllers back to their default and let the one controller act as domain's ntp source?


Just to let you know. All the domain controllers are not same... There are some roles called FSMO roles. Now one of these roles is called PDC Emulator. Now which ever DC has this role, will actually point to an external source. Rest all DCs, Member Servers and Clients will point to that DC (PDC) for syncing time.

Now what you have done is you have copied W32Time registry from one DC to all other DCs. Now, if you eventually exported this from PDC, the all the DCs are pointing to external source which is not correct. OR you exported it from a non PDC machine and that makes all the DCs look for a reliable time source with in the domain.

This all is defined by these registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type : This key defines whether the machine has to sync time or not , if it has to then does it have to follow domain heirarchy or it itself is a reliable time source.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ NtpServer : this key tells the machine the name/ip of the machine which is the time source foe this machine.

There are various other keys and settings which do this all for you:
refer this articles which tell you more about various settings and tools for windows time: 
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Now to fix this issue:

1. Run "Netdom Query FSMO" to find the DC that has the PDC role.
2. On that DC, Change the Type Key to "NTP".
3. Change NtpServer key to ",0x1"
4. Change AnnounceFlags key to 5. (this key is under the Config key).

5. Restart the Windows Time service.

Now on other DCs:

1. Change Type key to NT5DS.
2. Change NtpServer key to "IP address of PDC,0x1".
3. Change AnnouceFlags key to 10 (Dec).

4. Restart the Windows Time Service.

Do let me know the results of this...



Thank ARUN;
I assume that the NTPServer goes in WITHOUT the " ...". I made the changes and I guess I need to wait until tomorrow morning to see if it works .. so did it make sense the way I had it that it would cause such a reaction of changing the date back a day?
Do you have an idea on the LDAP error I am getting on the PDC Server in relation to the Exchange server?

Hi SKENT9735,

Registry is case sensitive and the key is NtpServer not NTPServer... (Observe that 't' and 'p' should in lower case). And yes the key is witout the " ... " 


Sorry .. yes that is the way they are in the registry ...


I was wondering what the Active Directory Connector was actually used for. I remember many years ago when we upgraded our Exchange Server from 5,5 to 2003 I believe the company that did the migration for us used this to get the information on the user and mailboxes transerred over. We have not had the Exchange 5.5 up and running for a least 5 or 6 years. I was just wondering if these agreements should just be deleted. We only have the one Exchange Server.

you dont have to wayt till tomorrow to see if everything works. You can type w32tm /resync from a the client and it will sync the time.  


Right .. my problem is that the PDC would lost exactly 24 hours at around 810am each day ...

Ah I see in that case yes, you won't know till tomorrow :)


Is the issue resolved?


Yes we think we finally got it done. It happened again yesterday. We ended up finding out that there was a conflicting time synch that was left over from a previous install and when we disabled it from running it seemed to have take care of it. It is almost noon today and it is still running like always. However with all the help I received here, I want to award the points offered to you. It really helped me in getting the domain controllers configured correctly ... thhanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial