Domain time temporarily set to the fuiture

Posted on 2011-04-19
Medium Priority
Last Modified: 2012-05-11
There was a problem at a sister site with the Operations Master for our W2003 domain, and a replacement VMWare host was used. Unfortunately the time on this host was set to August 2011! This time propogated to a few of our DCs causing various problems to do with Kerberos ticket authentication.
In total our DCs were set to August 2011 for about 10 minutes.
The initial problem has now been fixed, however I'm concerned that there might be repercussions to this.
We're currently getting these errors on our DC:-

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date:  19/04/2011
Time:  11:26:58
User:  N/A
Computer: DC1
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/yeovildc3.xdshc.nhs.uk.  The target name used was ldap/<opsmaster>.. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (FQDN), and the client realm.   Please contact your system administrator.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  19/04/2011
Time:  11:56:59
Computer: DC1
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1925
Date:  19/04/2011
Time:  11:46:29
Computer: DC1
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Configuration,DC=<FQDN> <Also Schema, DNSZones, etc>
Source domain controller:
CN=NTDS Settings,CN=<DC2>,CN=Servers,CN=WHouse,CN=Sites,CN=Configuration,DC=fqdn
Source domain controller address:
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=fqdn
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 User Action
Verify if the source domain controller is accessible or network connectivity is available.
 Additional Data
Error value:
2148074274 The target principal name is incorrect.
Question by:Dorset1
  • 4
  • 4
LVL 14

Accepted Solution

Vinchenzo-the-Second earned 1000 total points
ID: 35423499
Check to make sure your root PDC has the correct time and is configured to an external time source, and that your child DC(s) PDC is also getting it's time from the root PDC?

Can you check FRS for me on the DC in which you go the event logs from  At the DC can you run  repadmin /showreps

Can you run from the above DC also  repadmin /replsum

Can you check "Replication Topology"  From ADSS right click NTDS and choose "Check Replication Topology".

Let me know if there are any errors with the above?

Author Comment

ID: 35424315
Check to make sure your root PDC has the correct time and is configured to an external time source, and that your child DC(s) PDC is also getting it's time from the root PDC?
- I've attached a screenshot file of the registry on the PDC
regedit- Some servers have the value "time.windows.com,0x1". I'm not sure how to set them all to use the PDC, although the fact that some aren't has limited the problem...

Can you run from the above DC also  repadmin /replsum
- ...in progress...

Can you check FRS for me on the DC in which you go the event logs from
- There were FRS event log errors during the time mismatch, but none since:-
- Event Type:      Error
Event Source:      NtFrs
Event Category:      None
Event ID:      13548
Date:            23/08/2011
Time:            22:50:22
User:            N/A
Computer:      DC1
The File Replication Service is unable to replicate with its partner computer because the difference in clock times is outside the range of plus or minus 30 minutes.
The connection to the partner computer is:
  "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\DC1\89813E82-46FD-406A-88D2-75C7872714C0 -> <AnotherDC01>$ RemoteCxt"
The detected time difference is:  182176 minutes.

 At the DC can you run  repadmin /showreps
- There have been many like this:-
-     StandbyDRServers\BP-DRSERVER via RPC
        DC object GUID: ae58e08e-be5f-48e8-8e87-048ce981c18b
        Last attempt @ 2011-04-19 13:56:32 failed, result 8614 (0x21a6):
            Can't retrieve message string 8614 (0x21a6), error 1815.
        19 consecutive failure(s).
        Last success @ 2011-04-19 09:11:33.

However now, they all seem to be like this (except one DC which still has the above error):-
    SPCT-WHouse\DC3 via RPC
        DC object GUID: 4eb40714-e6b7-4c37-aae4-06800501f0ad
        Last attempt @ 2011-04-19 13:56:32 was successful.

Can you check "Replication Topology"  From ADSS right click NTDS and choose "Check Replication Topology".
I've done this on DC1 and there's only one still showing problems (BP-DRServer)
LVL 14

Expert Comment

ID: 35424383
Servers will use the PDC in there domain by default, and child PDC's will use the root PDC by default.

Can you stop and restart FRS on BP-DRSERVER?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 1000 total points
ID: 35424605
If the time is right now, then everything should sync again.

You can do the following to sync time and point your other DC's to the correct time server.

From CMD prompt:
net time /setsntp:dc1.mydomain.lan
w32tm /config /syncfromflags:domhier /reliable:yes

This sets the source time server and tells the Windows Time service to update the time from the time source.

Just double-check for other errors by running DCDiag.

Author Comment

ID: 35424645
OK will do. The results of repadmin /replsum look like this. There are 8 servers which say "Can't retrieve me...", including BP-DRServer.
Repadmin /showreps still shows problems with BP-DRServer after I restarted FRS on it...
LLSDC          >60 days            6 /   6  100  (1753) Can't retrieve me...
LSDC1         >60 days            5 /   5  100  (8524) Can't retrieve me...
CDC01               04h:53m:12s    4 /  10   40  (8614) Can't retrieve me...
TONDC                10m:49s    0 /   5    0
DC01                   14m:10s    0 /  10    0
HDC                     10m:42s    0 /  10    0
NDC1                    09m:55s    0 /  18    0
ILDC1                 14m:09s    0 /  20    0

Experienced the following operational errors trying to retrieve replication information:
       8341 - LSDC.xdshc.nhs.uk
         58 - essDC.xdshc.nhs.uk
         58 - ERHDC.xdshc.nhs.uk
         58 - MHDC.xdshc.nhs.uk
                         :           , etc
LVL 14

Expert Comment

ID: 35424676
As dvt said, can you do a dcdiag /v on BP-DRSERVER?

Author Comment

ID: 35425832
DCDiag looks ok except for latency issues with DCs which "are no longer on the network".
(I assume these should be removed cleanly).

I've now noticed my Exchange 2007 CAS HT server has 800 messages in the Submission queue and others in an smtp relay queue - ouch. I guess that's another problem?
LVL 14

Expert Comment

ID: 35426104
You should clear up these old DC's.  If the objects do not exist in AD/DNS or ADSS, you should be able to remove those references using ADSIEDIT.

I'm not 100% on Exchange, if you stuck you can alway raise another question.

If the servers are still not behaving tomorrow, let us know?

Author Comment

ID: 35442410
Hi again,
Fixed the Hub Transport server with a reboot thanks.
I still have a few servers which have 1722 or 8614 "Can't retrieve me..." errors in repladmin /replsummary but am ok to tinker with those.
Thanks for your assistance.
Best regards

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question