Urgent Help dns, clock issues nightmare

You have more than one problem then. Time can, obviously, be fixed easily enough but in a domain environment it should be synchronising with a DC.

It's likely time is wrong because something else is. What have you set your DNS servers (ipconfig) to?

When you connect via name, you're most likely using Kerberos authentication, which requires pretty strict time sync (within five minutes by default) between the machine you're connecting from and the one you're connecting to. When you connect via IP address, you're using NTLM authentication, which doesn't care about the time.

So, where is the time incorrect? Like Chris says, your domain-joined machines should all be configured to get their time from Active Directory.

Star first by checking which is the NTP server for your workstations

w32tm /query /source

Select all Open in new window

That is the problem all the times are correct, the Primary dc is in a vmware server that had an old dns itself, i corrected this a few days ago and all was working fine, now i cant strart dns on primary dc becasue it fails. the sais dc cannot be contacted, and also exchange is disconected i think i hope is because of this

Check about IPV6 (disable it) and also check the network adapters and the DNS entries for the server

my computer sais local cmos clock

server also sais local cmos clock

The main DC gives me this error when i try to open DNS, The server (domainName) could not be contacted the error was access denied would you like to add it anyway?

Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.

If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.cdgcorp.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>nslookup y-group.com
12.2.168.192.in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  192.168.2.12

Non-authoritative answer:
Name:    y-group.com
Address:  198.71.232.3

this is what i have for the scope in the dhcp pannel.
nightmare.JPG

DNS server i have the two one ending in 12 ( wich has the problem is the primary) and one ending in 17 which is allowing me at least to browse

one note im not sure if it has to do with anything the 3 servers giving me issues are all in a VMware environment,

@Dave yes the times are correct this is really puzzling

This is nuts, the three servers connected to the VMWARE server are not responding unless direct ip, the other 2 physical servers are working just fine.

Time is ok on all this, later this week i changed the dns on the vm host to the new because the old server had died. but it was fine till this morning. the old server has no record anywere

I got the Ns lookup fixed i made him point to the secondary dc and dns and at least now i can print. but still no exchange

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC-02
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: BrickellLocation\DC-02
      Starting test: Connectivity
         ......................... DC-02 passed test Connectivity

Doing primary tests

   Testing server: BrickellLocation\DC-02
      Starting test: Advertising
         ......................... DC-02 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC-02 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC-02 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC-02 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC-02 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         [YDC01] DsBindWithSpnEx() failed with error 1398,
         There is a time and/or date difference between the client and server..
         Warning: YDC01 is the Schema Owner, but is not responding to DS RPC
         Bind.
         [YDC01] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: YDC01 is the Schema Owner, but is not responding to LDAP
         Bind.
         Warning: YDC01 is the Domain Owner, but is not responding to DS RPC
         Bind.
         Warning: YDC01 is the Domain Owner, but is not responding to LDAP
         Bind.
         Warning: YDC01 is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: YDC01 is the PDC Owner, but is not responding to LDAP Bind.
         Warning: YDC01 is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: YDC01 is the Rid Owner, but is not responding to LDAP Bind.
         Warning: YDC01 is the Infrastructure Update Owner, but is not
         responding to DS RPC Bind.
         Warning: YDC01 is the Infrastructure Update Owner, but is not
         responding to LDAP Bind.
         ......................... DC-02 failed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC-02 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=cdgcorp,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=cdgcorp,DC=local
         ......................... DC-02 failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-02 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC-02 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC-02] A recent replication attempt failed:
            From YDC01 to DC-02
            Naming Context: DC=ForestDnsZones,DC=cdgcorp,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2005-08-17 03:47:24.
            The last success occurred at 2005-08-16 09:47:24.
            18 failures have occurred since the last success.
         [Replications Check,DC-02] A recent replication attempt failed:
            From YDC01 to DC-02
            Naming Context: DC=DomainDnsZones,DC=cdgcorp,DC=local
            The replication generated an error (1398):
            There is a time and/or date difference between the client and server
.

            The failure occurred at 2005-08-17 03:54:02.
            The last success occurred at 2005-08-16 09:47:24.
            20 failures have occurred since the last success.
            Kerberos Error.
            Check that the system time between the two servers is sufficiently.
            close. Also check that the time service is functioning correctly
         [Replications Check,DC-02] A recent replication attempt failed:
            From YDC01 to DC-02
            Naming Context: CN=Schema,CN=Configuration,DC=cdgcorp,DC=local
            The replication generated an error (1398):
            There is a time and/or date difference between the client and server
.

            The failure occurred at 2005-08-17 03:47:24.
            The last success occurred at 2005-08-16 09:47:24.
            18 failures have occurred since the last success.
            Kerberos Error.
            Check that the system time between the two servers is sufficiently.
            close. Also check that the time service is functioning correctly
         [Replications Check,DC-02] A recent replication attempt failed:
            From YDC01 to DC-02
            Naming Context: CN=Configuration,DC=cdgcorp,DC=local
            The replication generated an error (1398):
            There is a time and/or date difference between the client and server
.

            The failure occurred at 2005-08-17 03:47:24.
            The last success occurred at 2005-08-16 09:47:24.
            18 failures have occurred since the last success.
            Kerberos Error.
            Check that the system time between the two servers is sufficiently.
            close. Also check that the time service is functioning correctly
         [Replications Check,DC-02] A recent replication attempt failed:
            From YDC01 to DC-02
            Naming Context: DC=cdgcorp,DC=local
            The replication generated an error (1398):
            There is a time and/or date difference between the client and server
.

            The failure occurred at 2005-08-17 03:47:24.
            The last success occurred at 2005-08-16 09:47:24.
            18 failures have occurred since the last success.
            Kerberos Error.
            Check that the system time between the two servers is sufficiently.
            close. Also check that the time service is functioning correctly
         ......................... DC-02 failed test Replications
      Starting test: RidManager
         ......................... DC-02 failed test RidManager
      Starting test: Services
         ......................... DC-02 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   03:35:26
            Event String:
            Driver RICOH Class Driver required for printer RICOH Class Driver is
 unknown. Contact the administrator to install the driver before you log in agai
n.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   03:35:27
            Event String:
            Driver Brother HL-5050 required for printer Brother HL-5050 is unkno
wn. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   03:35:28
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   03:35:28
            Event String:
            Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
 in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   03:35:30
            Event String:
            Driver Microsoft XPS Document Writer v4 required for printer Microso
ft XPS Document Writer is unknown. Contact the administrator to install the driv
er before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   03:35:31
            Event String:
            Driver Send to Microsoft OneNote 16 Driver required for printer Send
 To OneNote 2016 is unknown. Contact the administrator to install the driver bef
ore you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   04:27:17
            Event String:
            Driver RICOH Class Driver required for printer RICOH Class Driver is
 unknown. Contact the administrator to install the driver before you log in agai
n.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   04:27:17
            Event String:
            Driver Microsoft XPS Document Writer v4 required for printer Microso
ft XPS Document Writer is unknown. Contact the administrator to install the driv
er before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   04:27:18
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   04:27:20
            Event String:
            Driver Brother HL-5050 required for printer Brother HL-5050 is unkno
wn. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   04:27:21
            Event String:
            Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
 in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 08/17/2005   04:27:21
            Event String:
            Driver Send to Microsoft OneNote 16 Driver required for printer Send
 To OneNote 2016 is unknown. Contact the administrator to install the driver bef
ore you log in again.
         ......................... DC-02 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC-02 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : cdgcorp
      Starting test: CheckSDRefDom
         ......................... cdgcorp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... cdgcorp passed test CrossRefValidation

   Running enterprise tests on : cdgcorp.local
      Starting test: LocatorCheck
         ......................... cdgcorp.local passed test LocatorCheck
      Starting test: Intersite
         ......................... cdgcorp.local passed test Intersite

C:\Windows\system32>

This is what dc02 told me about one, is not responding to anything

holy crap dc-02 has a wrong time and it completely eluded me. i changed it should i restart it?

Are you certain that the time is synchronized between DC02 and YDC01? Because this seems to indicate that it's not:

Starting test: KnowsOfRoleHolders
         [YDC01] DsBindWithSpnEx() failed with error 1398,
         There is a time and/or date difference between the client and server..

Um. Why is the year 2005?

Move slowly here, you don't want your DCs to consider themselves to be 12 years out of date...

I get this after the time update


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC-02
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: BrickellLocation\DC-02
      Starting test: Connectivity
         ......................... DC-02 passed test Connectivity

Doing primary tests

   Testing server: BrickellLocation\DC-02
      Starting test: Advertising
         ......................... DC-02 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC-02 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC-02 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC-02 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC-02 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC-02 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC-02 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=cdgcorp,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=cdgcorp,DC=local
         ......................... DC-02 failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-02 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC-02 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC-02 passed test Replications
      Starting test: RidManager
         ......................... DC-02 passed test RidManager
      Starting test: Services
         ......................... DC-02 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0002719
            Time Generated: 03/24/2017   16:31:46
            Event String:
            DCOM was unable to communicate with the computer xchangesrv.cdgcorp.
local using any of the configured protocols.
         A warning event occurred.  EventID: 0x00000024
            Time Generated: 03/24/2017   16:31:52
            Event String:
            The time service has not synchronized the system time for 86400 seco
nds because none of the time service providers provided a usable time stamp. The
 time service will not update the local system time until it is able to synchron
ize with a time source. If the local system is configured to act as a time serve
r for clients, it will stop advertising as a time source to clients. The time se
rvice will continue to retry and sync time with its time sources. Check system e
vent log for other W32time events for more details. Run 'w32tm /resync' to force
 an instant time synchronization.
         ......................... DC-02 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC-02 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : cdgcorp
      Starting test: CheckSDRefDom
         ......................... cdgcorp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... cdgcorp passed test CrossRefValidation

   Running enterprise tests on : cdgcorp.local
      Starting test: LocatorCheck
         ......................... cdgcorp.local passed test LocatorCheck
      Starting test: Intersite
         ......................... cdgcorp.local passed test Intersite

C:\Windows\system32>

Chris yes i noticed the DC-02 had the wrong date. I corrected this, shoud i restart it.

holy crap dc-02 has a wrong time and it completely eluded me. i changed it should i restart it?

There should be no need to restart it, but manually changing the time may not be enough to keep the issue from coming back (although if it were previously set to the year 2005, that may indeed be all you have to do).

Run w32tm /query /configuration on DC-02 and post the results here.

......................... cdgcorp.local passed test Intersite

C:\Windows\system32>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.

C:\Windows\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DC_HostName.DomainName.com (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

Type: NTP (Local)

Unless DC-02 is the PDC Emulator (it isn't, according to the dcdiag output), this value should be set to NT5DS rather than NTP. It can be set in the registry here:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

If you make that change, you'll need to restart the Windows Time service for it to take effect.

Done. should i do the same on dc01?

It should be set to NT5DS on everything except the DC that holds the PDC Emulator FSMO role (which appears to be YDC01).

done on all servers but not on dc-01.

Now i can RDP but i still dont have access to the emailserver.

Excellent. What does w32tm /query /configuration show on YDC01?

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\mnunez>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   ***Error: Exchange is not a Directory Server.  Must specify /s:<Directory
   Server> or  /n:<Naming Context> or nothing to use the local machine.
   ERROR: Could not find home server.

C:\Users\mnunez>

MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DC_HostName.DomainName.com (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)


C:\Windows\system32>

good lord i cant rdp again now i have this no longer the time.

The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.


I did a flush, restarted my computer and nothing.

would it be safe to transfer the operations role on exchange AD to dc-02?

NtpServer: DC_HostName.DomainName.com (Local)

This will need to be changed on YDC01. That server needs to get time from a source outside of your environment, like a public NTP server. Microsoft runs one at time.windows.com, and there are a number of others out there. Go to this registry location:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

...and set it to this:

time.windows.com,0x9 time-a.nist.gov,0x9 time-b.nist.gov,0x9

If you know the names of specific NTP servers you'd prefer to use, feel free to substitute those, but leave the ,0x9's in there after each one.

done with dc-01

Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.

That's a significant problem. It means that your domain controllers have been unable to replicate with each other for a very long time. How many total DCs do you have in the domain?

two, i inherit this job from another admin, and i have run into some weird stuff in here. should i turn one off maybe dc 02, i run the last script in the exchange server

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>netdom query dc
List of domain controllers with accounts in the domain:

DC01
DC02
The command completed successfully.


C:\Windows\system32>

this i get from dc01

Exchange isn't installed on one of the DCs, is it? I believe you said that it's on a different server, but I want to be sure.

no is on a different server.

this error is poping up in when i try to open the exchange database

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>REPADMIN /SHOWREPS
BrickellLocation\YDC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 62d3b9b6-5b3d-419a-bd88-692a164c69bf
DSA invocationID: 3e22d92f-9798-4b5e-a8c7-eb850471f957

==== INBOUND NEIGHBORS ======================================

DC=cdgcorp,DC=local
    BrickellLocation\DC-02 via RPC
        DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4e0ff016339
        Last attempt @ 2017-03-24 18:07:15 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
        68 consecutive failure(s).
        Last success @ 2017-03-24 13:24:43.

CN=Configuration,DC=cdgcorp,DC=local
    BrickellLocation\DC-02 via RPC
        DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4e0ff016339
        Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
        10 consecutive failure(s).
        Last success @ 2017-03-24 13:24:43.

CN=Schema,CN=Configuration,DC=cdgcorp,DC=local
    BrickellLocation\DC-02 via RPC
        DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4e0ff016339
        Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
        9 consecutive failure(s).
        Last success @ 2017-03-24 13:24:43.

DC=ForestDnsZones,DC=cdgcorp,DC=local
    BrickellLocation\DC-02 via RPC
        DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4e0ff016339
        Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
        9 consecutive failure(s).
        Last success @ 2017-03-24 13:24:43.

DC=DomainDnsZones,DC=cdgcorp,DC=local
    BrickellLocation\DC-02 via RPC
        DSA object GUID: df94fcba-4bb0-4a7f-85cd-c4e0ff016339
        Last attempt @ 2017-03-24 17:46:40 failed, result 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.
        9 consecutive failure(s).
        Last success @ 2017-03-24 13:24:43.

Source: BrickellLocation\DC-02
******* 67 CONSECUTIVE FAILURES since 2017-03-24 13:24:43
Last error: 8614 (0x21a6):
            The directory service cannot replicate with this server because the
time since the last replication with this server has exceeded the tombstone life
time.

C:\Windows\system32>w32tm /monitor
YDC01.cdgcorp.local *** PDC ***[[::1]:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from YDC01.cdgcorp.local
        RefID: time-a.nist.gov [129.6.15.28]
        Stratum: 2
DC-02.cdgcorp.local[192.168.2.17:123]:
    ICMP: 0ms delay
    NTP: -744.1300266s offset from YDC01.cdgcorp.local
        RefID: 'LOCL' [0x4C434F4C]
        Stratum: 1

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.

C:\Windows\system32>w32tm /resync
Sending resync command to local computer
The command completed successfully.

C:\Windows\system32>

I think is the time configuration on the VMware server. i am looking into this

should i do the same metadata clean up in exhange as well

There's no need to do anything in Exchange - this is strictly Active Directory we're working with at the moment. Once the metadata cleanup has been completed, Exchange should be able to locate the only remaining global catalog (YDC01) and use it for authentication.

dc-02 has been demoted and removed from AD

Thank you for all the help, just fyi

Good. What does the overall situation look like now?

still no exchange. should i run dcdiag opn exhcnage.

Dcdiag won't run on a server that isn't a domain controller. Which version of Exchange are you running?

2010 exchnage

Can you restart the Microsoft Exchange Active Directory Topology service on that server?

Thank you guys a million exchange is back up. this time fiasco was a nightmare. thank you both for all your help

You guys are awesome, leason learned change the cmos batteries.

Excellent! Glad it's all straightened out.