While checking the eventlog of a domain controller I noticed that it complained about an erroneous Kerberos ticket of another DC.
As we all know, Kerberos needs a synchronous time of all participating systems.
This is what you can do if Active Directory time synchronization fails:
Check DC time with “net time”
First checked the local time of the affected DC. As expected, it had a time difference of 10 minutes to the other DCs which is beyond the deviation Kerberos tolerates.
The question now was: Why had the primary time server not synchronized the time?
With Net time the correct time was displayed on the primary time server.
With the help of net time/ Set the time could easily be set manually to the domain time.
As the time server was reachable, I checked the local configuration of the server.
Missing registry key W32Time
The local configuration of the server showed that the registry key
was completely missing.
Luckily the time server configuration tool w32tm has a function to fix that.
w32tm/register creates the complete W32Time branch in the registry and activates the time server client and server.
A direct start of the time server with net start w32time did not work however.
The error message referred to a discrepancy between the service account “Local service” requested for the time service and the current process account of the hosting process.
At this point I skipped a detailed analysis and waited for the upcoming reboot.
After the reboot the service started correctly and the time was synchronized without problems.
For me the solution to fix the problem with Active Directory time synchronization was to:
- Check if time server is reachable with net time
- Check registry for the key HKLM\System\CurrentControlSet\Services\W32Time
- If the registry key is missing, create with w32tm/register
- Reboot the service