0

Hi there we have a file server and DC. Sometimes connections to the file server are failing, and looking through the event viewer errors I am seeing lots of Kerberos errors.

The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server . This indicates that the ticket presented to that server is not yet valid (due to a discrepancy between ticket and server time. Contact your system administrator to make sure the client and server times are synchronized, and that the time for the Key Distribution Center Service (KDC) in realm is synchronized with the KDC in the client realm.

Because the DC is in azure, they are both setup in the default config for w32time.

PS C:\windows\system32> w32tm /query /source

VM IC Time Synchronization Provider

[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 4294967295 (Local)
MaxPosPhaseCorrection: 4294967295 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

VMICTimeProvider (Local)
DllName: C:\windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
NtpServer (Local)
DllName: C:\windows\system32\w32time.dll (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)

Group Policy is also failing on this win server 2016 vm.

I am not really seeing how to fix this issue.

strangely the PDCe is on-prem. and one of the azure DC's status shows unavailable.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
cybernull
  • 1
  • 1
  • **Because the DC is in azure, they are both setup in the default config for w32time** - What does that mean exactly? Please post the output of **w32tm /query /source** and **w32tm /query /configuration** from your Domain Controllers. Also tell us which DC is the PDCe. – joeqwerty Sep 15 '22 at 02:08
  • i have added this – cybernull Sep 15 '22 at 02:13
  • my idea would be to set the azure DC's to sync their time with the PDCe, but in azure does the time of the guest OS need to be synced with the host? – cybernull Sep 15 '22 at 02:34
  • i think i resolved this myself, i logged into the PDCe and the time is 10 minutes fast. I have asked the customer to set the time correctly on the PDCe. – cybernull Sep 15 '22 at 03:58

0 Answers0