Hi Everyone,Time synchronization is not working on our PDC(Win2K3R2 Standard 64bit Hyper-V).Previously, we had another PDC which was retired, and all our systems synced with that server.After that server was retired, all our PCs started syncing with the new DC.But the time on the new DC is 5 minutes fast.I checked the new PDC, and it was set to sync with the old one.So I followed this link to change to an external NTP source:http://support.microsoft.com/kb/816042However that time is still 5 minutes fast, even though successful sync eventsevents are being logged.I have tried several different peers as well.Additionally, we have been receiving Event 1054 every 5 minutes,though I don't know if this is related."Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted."And I am unable to use netdiag to troubleshoot this as this is a 64bit server.Then I found out the following:The Kerberos V5 authentication protocol on a Windows Server 2003 family domain has a default time synchronization threshold of five minutes. Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, thus allowing for smaller thresholds. Failure to authenticate using the Kerberos protocol can prevent logons, access to Web sites, file shares, printers, and other resources or services within a domain.I found how to change this in the Domain Security Policy, so I changed it to 10 minutes.But am worried this still may cause problems.Any help would be greatly appreciated.Thanks,Chris Chris

Hi, Are all the machines in the domain virtual machines and hosted in the same physical server? For virtual machines that are configured as domain controllers, the time synchronization with the host through Integration Services should be disabled. Host time synchronization allows guest operating systems to synchronize their system clocks with the system clock of the host operating system. Since the domain controllers have their own time synchronization mechanism, the host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Since many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped. The Best Practice would be before Promoting a guest as DC go into the setting for that virtual machine under management option select Integration Services under that uncheck the time Synchronization Option for the virtual machine that we are going to promote as Domain Controller Note: After un-checking Time Synchronization, please reboot the DC VM. Ensure external time service is reliable and VM connectivity to external network is good. W32Time might fail to start if the Hyper-V time IC (vmictimesync) does not remove its time provider entry from the registry. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider To solve this problem you can manually remove the entry from the registry and restart w32time. I recommend that you use the w32time service to sync the time on all machines. That it, dont use the Integration Services to synchronize time from the host for all Hyper-V guest machines. In addition, here are some recommendations for running domain controllers in Hyper-V: Never save state in a domain controller as this may cause synchronization issues in the domain. Never Pause a domain controller virtual machine for long periods of time as this may adversely impact replication. Do not take snapshots of a domain controller.

Hi Jason,Thanks for the quick reply.Actually, we just went into Hyper-V and unchecked"Time Synchronization" under Intergration Services.We did not need to restart anything, the Virtual Domain Controller fixed it's time and all the clients updated within a short time.This also stopped the 1054 from popping up every 5 minutes.So it seems like unchecking the box fixed everything.Is it safe to leave it like this and to continue to monitor the situation?Or should any further actions be taken?Thanks,ChrisChris

Hi, Glad to hear that. I suggest that you restart the DC to ensure that everything takes effect. Have a nice day.

Just wanted to let you know that I had the exact same problem. And that this solved it for me too!

This has worked for us, but the registry folder comes back on a reboot, killing the service. Can delete the registry folder and all is well again, but it's a manual process. Anyone got something permanent?