Hi everybody

Im sitting here on 12th hour trying to get our DC to behave as I believe it should but to no avail.
Our problem is that early today (12 hours ago, go figure) our server time started to shift rather much (up to 3 hours).

We've (my colleague and I) tried quite alot of procedures found on the internet.
Our setup is:
1 x SBS2011, 2 x SRV2008R2, 2 x SRV2012R2

We've tried Microsoft Fixit, Manual Processes, verify settings through Regedit, doing the w32tm /unregister, Register, flags and so forth. Verified UDP123 aren't blocked.

No matter what we do the SBS2011 keeps saying "LOCL CMOS" for the w32tm /query

After looking on a lot of settings 'suddenly' our DC wont even start W32time due to error 1290.
I Took a look on a DCDIAG and got some warnings:

XPDSBS is not advertising as a time server
Starting Test: NCSECDESC
Error NT Authority\enterprise domain controllers dosent have access rights for naming context:
DC=ForestDNSZones,DC=XPDigitalas,DC=Local

Error NT authrority\enterprise domain controllers dosent have replicating directory changes in filtered se access rights for naming context: DC=DomainDNSZones, DC=Xpdigitalas,DC=Local

XPDSBS Failed test NCSecDesc
W32time service is stopped on XPDSBS.

Then I get a lot of Kerberos warnings of various clients which I'm not gonna type in here.

at the bottom I get a XPDSBS failed test systemlog

I also get a warning: DcGetDcName(TIME_SERVER) Call Failed Error 1355
A time server could not be located
The server holding the PDC Role is DOWN
Warning: DcGetDcName (Good_Time_server_preferred) call Failed, Error 1355, a good time server could not be located.
xpdigitalas.local failed test locatorCheck

all other stuff is 'passed'

Hope someone can help us get abit further.

Thanks all

Please run the following to reset the time sync configuration:

• net stop w32time
• w32tm /unregister
• w32tm /register
• net start w32time

As for the time sync in an AD domain, I have documented that here: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx

You can refer to the GPO way to configure it.

Please note that port 123 to the public NTP servers should not be blocked or filtered. Also, if you are running VMs, make sure that time sync with the Hypervisor is disabled.

Hello,

for the error:

Error NT Authority\enterprise domain controllers dosent have access rights for naming context:
DC=ForestDNSZones........

and

Error NT authrority\enterprise domain controllers dosent have replicating directory changes in filtered se access rights for naming context: DC=DomainDNSZones........

This belongs to the not run command adprep /rodcprep.

For the time setting reset run on all machines the already mentioned command and start with the DC having the PDCEmualtor FSMO which in your case with an SBS server MUST be that machine. If you have transferred the FSMO roles to another DC they MUST be  transferred back to the SBS machine.

Also assure that all DCs are able to replicate and to contact each other, how many in total do you have?

"The server holding the PDC Role is DOWN" Please run "netdom query fsmo" to check the current FSMO holders.