SKENT9735
asked on
Active Directory Time Synchronization Off Possible DNS & Exchange Connection
For the past week I have been experiencing DNS and synchronization problems on my MS 2003
domain. I have 3 domain controllers. I have a ADC connection on my "main" DC with an
Exchange 2003 Server. Nearly all of my workstations are Windows XP SP3 with just a fluttler
of Windows 7 and Windows Vista.THe majority of my users are using Office 2008
Last week it began with I had users calling me up and telling me that they were being
prompted to enter the email password in Outlook. Normally I would have them log off and back
on and this would correct itself. This didn't work. When they logged back on they were still
be prompte for the password and Outlook was reporting that it was not connected to the
Exchange Server. Compound this with more issues. Many users were not even able to sign onto
the domain. They were getting the error that the time on their workstations were not synched
with the DNS server.
I started working on the W32Time issue and checked all the domain controller and could not
actually see any major discrepancy with the server times. It may have been off 3-4 minutes
in some instances. I checked the Exchange server and it was reporting the same time as my
domain controllers. I have had my domain controllers synching with a NTP server for the past
4 or 5 years without a problem.
I researched the DNS issue and made a few tweaks and I seem to have it working. Everything
seems to be right and I have replication working.
I researched the W32time problem and went and tweaked that line by line in the registry. I
changed the NTP server. Once I was done with that I exported the w32time part of the
regisrty and imported it into the other two domain controllers so that all domain
controllers were configured exactly the same. I am still experience a phenomanom with this.
For the past two days, my "main" DC works just fine until approximately 8:10am. Then the
date changes back one day. The time stays the same. My other two domain controller are not
experience this. I have my XP workstations synching to this machine through a logonscript.
Once I change the date, it works fine for another 24 hours. I have checked all the logs and
there is nothing in them that reflects a synchronization even occurred. The fact that the
other domain controllers is not experiencing this causes me to scratch my head.
Once thing that I have noticed in the logs of my problem domain controller I am constantly
getting an Application error every few minutes. The source is MSADC, category is LDAP
operations, and event ID is 8026."LDAP Bind was unsuccessful on directory SVR-EXCH for
distinguished name '[Domain\Administrator". Directory returned error [0x51] Server Down.
(Connection Agreement 'Public Folders: joplinmo:local - JOPLIN\City of Joplin #3932)
I checked the ADC Services and found the connectors. The small certificate icon next to
Public Folders and Users agreement seemed to be grayed out. THe only actiion it really
affords it "replicate now" but since this is the only DC with a ADC to Exchange there is
nothing to replicate.
So I am asking for Experts assistance.
domain. I have 3 domain controllers. I have a ADC connection on my "main" DC with an
Exchange 2003 Server. Nearly all of my workstations are Windows XP SP3 with just a fluttler
of Windows 7 and Windows Vista.THe majority of my users are using Office 2008
Last week it began with I had users calling me up and telling me that they were being
prompted to enter the email password in Outlook. Normally I would have them log off and back
on and this would correct itself. This didn't work. When they logged back on they were still
be prompte for the password and Outlook was reporting that it was not connected to the
Exchange Server. Compound this with more issues. Many users were not even able to sign onto
the domain. They were getting the error that the time on their workstations were not synched
with the DNS server.
I started working on the W32Time issue and checked all the domain controller and could not
actually see any major discrepancy with the server times. It may have been off 3-4 minutes
in some instances. I checked the Exchange server and it was reporting the same time as my
domain controllers. I have had my domain controllers synching with a NTP server for the past
4 or 5 years without a problem.
I researched the DNS issue and made a few tweaks and I seem to have it working. Everything
seems to be right and I have replication working.
I researched the W32time problem and went and tweaked that line by line in the registry. I
changed the NTP server. Once I was done with that I exported the w32time part of the
regisrty and imported it into the other two domain controllers so that all domain
controllers were configured exactly the same. I am still experience a phenomanom with this.
For the past two days, my "main" DC works just fine until approximately 8:10am. Then the
date changes back one day. The time stays the same. My other two domain controller are not
experience this. I have my XP workstations synching to this machine through a logonscript.
Once I change the date, it works fine for another 24 hours. I have checked all the logs and
there is nothing in them that reflects a synchronization even occurred. The fact that the
other domain controllers is not experiencing this causes me to scratch my head.
Once thing that I have noticed in the logs of my problem domain controller I am constantly
getting an Application error every few minutes. The source is MSADC, category is LDAP
operations, and event ID is 8026."LDAP Bind was unsuccessful on directory SVR-EXCH for
distinguished name '[Domain\Administrator". Directory returned error [0x51] Server Down.
(Connection Agreement 'Public Folders: joplinmo:local - JOPLIN\City of Joplin #3932)
I checked the ADC Services and found the connectors. The small certificate icon next to
Public Folders and Users agreement seemed to be grayed out. THe only actiion it really
affords it "replicate now" but since this is the only DC with a ADC to Exchange there is
nothing to replicate.
So I am asking for Experts assistance.
I'm a bit concerned that from what you say you have multiple machines all sync'ing independantly with an external source. Only one machine should sync with an external NTP server, the PDC at the root domain, all other machines should in turn sync with this (via their own domain PDC if you have multiple domains).
ASKER
I thought there was no distinction between domain controllers in a 2003 domain. Are you saying that I should just take the other two domain controllers back to their default and let the one controller act as domain's ntp source?
Hi,
Just to let you know. All the domain controllers are not same... There are some roles called FSMO roles. Now one of these roles is called PDC Emulator. Now which ever DC has this role, will actually point to an external source. Rest all DCs, Member Servers and Clients will point to that DC (PDC) for syncing time.
Now what you have done is you have copied W32Time registry from one DC to all other DCs. Now, if you eventually exported this from PDC, the all the DCs are pointing to external source which is not correct. OR you exported it from a non PDC machine and that makes all the DCs look for a reliable time source with in the domain.
This all is defined by these registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\W32 Time\Param eters\Type : This key defines whether the machine has to sync time or not , if it has to then does it have to follow domain heirarchy or it itself is a reliable time source.
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\W32 Time\Param eters\ NtpServer : this key tells the machine the name/ip of the machine which is the time source foe this machine.
There are various other keys and settings which do this all for you:
refer this articles which tell you more about various settings and tools for windows time:
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx
Just to let you know. All the domain controllers are not same... There are some roles called FSMO roles. Now one of these roles is called PDC Emulator. Now which ever DC has this role, will actually point to an external source. Rest all DCs, Member Servers and Clients will point to that DC (PDC) for syncing time.
Now what you have done is you have copied W32Time registry from one DC to all other DCs. Now, if you eventually exported this from PDC, the all the DCs are pointing to external source which is not correct. OR you exported it from a non PDC machine and that makes all the DCs look for a reliable time source with in the domain.
This all is defined by these registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
There are various other keys and settings which do this all for you:
refer this articles which tell you more about various settings and tools for windows time:
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank ARUN;
I assume that the NTPServer goes in WITHOUT the " ...". I made the changes and I guess I need to wait until tomorrow morning to see if it works .. so did it make sense the way I had it that it would cause such a reaction of changing the date back a day?
Do you have an idea on the LDAP error I am getting on the PDC Server in relation to the Exchange server?
I assume that the NTPServer goes in WITHOUT the " ...". I made the changes and I guess I need to wait until tomorrow morning to see if it works .. so did it make sense the way I had it that it would cause such a reaction of changing the date back a day?
Do you have an idea on the LDAP error I am getting on the PDC Server in relation to the Exchange server?
Hi SKENT9735,
Registry is case sensitive and the key is NtpServer not NTPServer... (Observe that 't' and 'p' should in lower case). And yes the key is witout the " ... "
:-)
Registry is case sensitive and the key is NtpServer not NTPServer... (Observe that 't' and 'p' should in lower case). And yes the key is witout the " ... "
:-)
ASKER
Sorry .. yes that is the way they are in the registry ...
ASKER
I was wondering what the Active Directory Connector was actually used for. I remember many years ago when we upgraded our Exchange Server from 5,5 to 2003 I believe the company that did the migration for us used this to get the information on the user and mailboxes transerred over. We have not had the Exchange 5.5 up and running for a least 5 or 6 years. I was just wondering if these agreements should just be deleted. We only have the one Exchange Server.
you dont have to wayt till tomorrow to see if everything works. You can type w32tm /resync from a the client and it will sync the time.
ASKER
Right .. my problem is that the PDC would lost exactly 24 hours at around 810am each day ...
Ah I see in that case yes, you won't know till tomorrow :)
Hi,
Is the issue resolved?
Is the issue resolved?
ASKER
Yes we think we finally got it done. It happened again yesterday. We ended up finding out that there was a conflicting time synch that was left over from a previous install and when we disabled it from running it seemed to have take care of it. It is almost noon today and it is still running like always. However with all the help I received here, I want to award the points offered to you. It really helped me in getting the domain controllers configured correctly ... thhanks