W32Time Event 27 on domain members

Posted on 2011-05-10
Medium Priority
Last Modified: 2012-05-11
I have a Windows 2003 domain with two domain controllers. All of the domain members have the W32Time event 27 in the system logs. (The response received from domain controller is missing the signature. The response may have been tampered with and will be ignored.)

Now, I would typically do all the w32tm /resync, /setsntp, etc tricks, but this is happening to ALL domain members, so there must be another global issue. In addition, those fixes do not stick with the servers I've tried them on. I feel like this is a PDC or Group Policy issue, though registry settings on the PDC look OK, and there does not seem to be a GP in place which affects time.

Any ideas?
Question by:MacGyverSolutions
  • 4

Expert Comment

ID: 35733649
Do you have a Certificate Authority on your domain? Does the DC have a digital certificate that recently expired?
LVL 43

Expert Comment

by:Adam Brown
ID: 35733713
Run w32tm /query /status on one of the workstations to see what the Source is configured for. It's possible that an update or something similar caused the computers to lose the proper Domain Hierarchy configuration for time sync. If the Source shows anything other than a single Domain Controller, you'll want to run w32tm /resync /rediscover to restore the proper configuration. Also look through your Logon and Startup scripts to make sure there aren't any registry modifications being deployed that affect the Time Sync system.

Author Comment

ID: 35740339
Devin - there is no CA on this domain.

AC - These servers don't seem to support the "w32tm /query /status" command; I get "The command /query is unknown." However when I run "w32tm /monitor" I get the following (edited):
dc1.domain.local []:
    ICMP: 0ms delay.
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
dc2.domain.local *** PDC *** []:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from dc2.domain.local
        RefID: auth01.dns.datacenter.com []

All members are currently using time.windows.com. Again, I'm sure that setting the SNTP server manually would work, but since this is happening on ALL domain member servers, there must be something deeper. There are no logon scripts, and the only GP being applied is the default domain policy. Could something be up with the PDC emulator, or maybe NTDS settings?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 35740355
BTW, dc2 is the current PDC emulator.

Accepted Solution

MacGyverSolutions earned 0 total points
ID: 35741225
I believe I found a solution - however the steps taken above will hopefully help out the next person to run into these issues.

Turns out that the domain controllers had a program called "Tardis 2000" installed on them, which was stepping on the domain controller's NTP services. This was preventing domain members from getting signed time updates. I disabled the Tardis service, restarted the Windows Time service, and everything seems to have cleared up. Don't know why Tardis was installed (I inherited these servers) but keep an eye out for anything which may try to provide NTP services on domain controllers, as this can cause major Kerberos authentication issues, and fills up the event logs of member servers.

Thanks for your help Devin and AC.

Author Closing Comment

ID: 35767647
Found my own solution when looking into Windows services which may have conflicted with the NTP services.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question