Announcement

Collapse
No announcement yet.

This server's clock is not synchronized with the primary domain controller's clock

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • This server's clock is not synchronized with the primary domain controller's clock

    Hello,

    I have a server (the server is a domain member \\server1.mydomain.com) which must be synchronized with a external source (the rest of the computer are synchronized with PDC). When the external source have more than 10 minutes of delay I cantīt access to share folders inside this sever doing \\sever1.mydomain.com (I can access using ip address) and I get the following error:
    This server's clock is not synchronized with the primary domain controller's clock

    This artcle from microsoft say:
    http://www.microsoft.com/technet/pro....mspx?mfr=true

    The internal clock for servers must be set to within 10 minutes of the domain controller's clock

    I want to increase this 10 minutes. Anybody know how can I do it?.

    Thanks
    Pablo

  • #2
    Re: This server's clock is not synchronized with the primary domain controller's cloc

    You can't. As Microsoft said: "The internal clock for servers must be set to within 10 minutes of the domain controller's clock." If the clocks are not synchronised then Kerberos authentication will fail.

    Why can't you synchronise the member server with your domain controller?

    http://en.wikipedia.org/wiki/Kerbero...ocol#Drawbacks "Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized."
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: This server's clock is not synchronized with the primary domain controller's cloc

      Thanks Gareth,

      I need to configure a server member with another computer of electrical company and this server is a domain member too.

      As you say abot Kerberos: "The default configuration requires that clock times are no more than 10 minutes apart [...]"

      So, I changed in the domain security policy this kerberos parameter to 60 minutes as say in this article:Maximum Tolerance For Computer Clock Synchronization.
      http://www.microsoft.com/technet/sec.../w2kadm09.mspx

      Maximum Tolerance For Computer Clock Synchronization: The Maximum tolerance for computer clock synchronization is one of the few Kerberos policies that may need to be changed. By default, computers in the domain must be synchronized within five minutes of each other. If the client clock and the server clock are not synchronized closely enough, a client ticket is not issued. The default value is 5 minutes, and settings are in minutes. If there are remote users that log on to the domain without synchronizing their clock to the network timeserver, it may be necessary to adjust this value. However, changing this value to provide a wider margin can leave the system open to replay attacks.

      Thanks
      Pablo

      Comment


      • #4
        Re: This server's clock is not synchronized with the primary domain controller's cloc

        Windows components and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows Server 2003 family domain has a default time synchronization threshold of five minutes (not Ten Min'). Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, thus allowing for smaller thresholds. Failure to authenticate using the Kerberos protocol can prevent logons, access to Web sites, file shares, printers, and other resources or services within a domain.


        * Configuring time synchronization method with the following configuration commands:
        w32tm.exe (Windows 2003 or XP only)
        To reset to use the domain hierarchy:
        w32tm.exe /config /syncfromflags:domhier
        w32tm.exe /config /update
        To use a specific NTP source:
        w32tm.exe /config /syncfromflags:manual /manualpeerlist:source1
        w32tm.exe /config /update

        How to Configure an Authoritative Time Server in Windows Server 2003
        http://support.microsoft.com/?id=816042

        Please follow the link:
        http://forums.petri.com/showthread.php?t=28963

        Last edited by Akila; 23rd October 2008, 12:38.

        Comment

        Working...
        X