W32Time Event 27 on domain members

I have a Windows 2003 domain with two domain controllers. All of the domain members have the W32Time event 27 in the system logs. (The response received from domain controller is missing the signature. The response may have been tampered with and will be ignored.)

Now, I would typically do all the w32tm /resync, /setsntp, etc tricks, but this is happening to ALL domain members, so there must be another global issue. In addition, those fixes do not stick with the servers I've tried them on. I feel like this is a PDC or Group Policy issue, though registry settings on the PDC look OK, and there does not seem to be a GP in place which affects time.

Any ideas?
Who is Participating?
MacGyverSolutionsAuthor Commented:
I believe I found a solution - however the steps taken above will hopefully help out the next person to run into these issues.

Turns out that the domain controllers had a program called "Tardis 2000" installed on them, which was stepping on the domain controller's NTP services. This was preventing domain members from getting signed time updates. I disabled the Tardis service, restarted the Windows Time service, and everything seems to have cleared up. Don't know why Tardis was installed (I inherited these servers) but keep an eye out for anything which may try to provide NTP services on domain controllers, as this can cause major Kerberos authentication issues, and fills up the event logs of member servers.

Thanks for your help Devin and AC.
Do you have a Certificate Authority on your domain? Does the DC have a digital certificate that recently expired?
Adam BrownSr Solutions ArchitectCommented:
Run w32tm /query /status on one of the workstations to see what the Source is configured for. It's possible that an update or something similar caused the computers to lose the proper Domain Hierarchy configuration for time sync. If the Source shows anything other than a single Domain Controller, you'll want to run w32tm /resync /rediscover to restore the proper configuration. Also look through your Logon and Startup scripts to make sure there aren't any registry modifications being deployed that affect the Time Sync system.
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

MacGyverSolutionsAuthor Commented:
Devin - there is no CA on this domain.

AC - These servers don't seem to support the "w32tm /query /status" command; I get "The command /query is unknown." However when I run "w32tm /monitor" I get the following (edited):
dc1.domain.local []:
    ICMP: 0ms delay.
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
dc2.domain.local *** PDC *** []:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from dc2.domain.local
        RefID: auth01.dns.datacenter.com []

All members are currently using time.windows.com. Again, I'm sure that setting the SNTP server manually would work, but since this is happening on ALL domain member servers, there must be something deeper. There are no logon scripts, and the only GP being applied is the default domain policy. Could something be up with the PDC emulator, or maybe NTDS settings?
MacGyverSolutionsAuthor Commented:
BTW, dc2 is the current PDC emulator.
MacGyverSolutionsAuthor Commented:
Found my own solution when looking into Windows services which may have conflicted with the NTP services.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.