Recently one of my VMs (vcenter actually) started saying the time sync was out even though it wasn't and was set the same as my DCs and was set to sync with them. Now today I notice this in the event log-
The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.
Its referincing one of my DCs (DC2) which is the alternate DNS but holds all of the FSMO roles.
Recently I replaced one my preferred DNS server with another, well, I swapped the IP addresses round as I was retiring the old one. FMSO rules remained on the secondary DC2 the entire time. This all seemed to go fine at the time and has been like this for 2-3 months now. Originally I had my old DC1 getting time from an external source so I have just done net time /querysntp on each DC and I get this.
OLDDC1 - syncs to ntp.massey.ac.nz
NEWDC1 - syncs to OLDDC1
DC2 (all FSMO roles) - syncs to OLDDC1
And the affected client is trying to sync to DC2.
All the times seem to be fine between all of them, but any ideas what I can do to resolve before I get any serious time issues. Or any recommendations for best practices for time sync?
All the DCs and the client VM affected are Windows Server 2003.