locked
The directory schema is not accessible because: The clocks on the client and server machines are skewed. RRS feed

  • Question

  • Hi All.

    I installed a new Server 08 R2 Machine onto our domain last night. (Our domain has one win2k server, soon to be retired, and one 2k3 server) I did forest prep and domain prep and then ran dcpromo on the new 08 server. However, now that AD is all set up and the new server is registered as a domain controller, when ever I attempt to access AD, it gives the above error. Just to note, the new server it sitting on a Hyper-V virtual machine, however, I have removed the 'time synchronization' setting from the hyper-v setting. Currently the new DC is running about 2 minutes ahead of the primary domain controller. I know that I need to somehow tell my new 08 domain controller to synchronize its time with my 2k3 server, but to be honest I don't know how to do it. Could anyone help?

    Thanks,

     

    James.

    Thursday, July 1, 2010 9:43 AM

Answers

  • James - make sure to transfer the PDC Emulator role to the newly promoted Windows Server 2008 R2 DC. This will designate it as the time source for the domain. You might want to also restart w32time service or run w32tm /config /update on both the newly promoted DC and the previous

    Btw. net time command (while sometimes convenient) is of limited use - majority of time-related operations should bey carried out with w32tm (more at http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx)

    hth
    Marcin

    • Marked as answer by severniae Thursday, July 1, 2010 2:17 PM
    Thursday, July 1, 2010 11:06 AM
  • That's correct. By default, PDC emulator serves as the authoritiative time source for all domain member computers. Use w32tm /monitor to list the time sources and search for an entry with offset 0 (or check the value of RefID parameter)

    hth
    Marcin

    • Marked as answer by Bruce-Liu Friday, July 2, 2010 8:51 AM
    Thursday, July 1, 2010 1:42 PM

All replies

  • Hello,

    make sure the new machine isn't blocking port 123 UDP with a firewall. Then run:

    w32tm /config /syncfromflags:domhier /update

    Maybe you have to check the event viewer for errors.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 1, 2010 10:36 AM
  • Thanks for your reply Meinolf Weber, 

     

    Will that force the new DC to synchronize time with the rest of the domain permenantly? (what I mean is will it make my 08 server constantly update the time?)

    As a side note - I ran net time \\servername /set and it started working. However I don't think its permanently fixed it, as it does seem to sync when I reboot the server, then loses sync as time goes on. 

    The other thing that I've noticed, is that all the DC's on the domain are still syncing time from the old win2000 server, which is soon to be retired, but all workstation clients (just domain members) are syncing their time from the new 2008 R2 DC - Should this be the case? I certainly didn't set anywhere for everything to sync to the new domain controller.

    Thanks,

    James.

    Thursday, July 1, 2010 10:57 AM
  • Hello,

    net time is old fashion and replaced with w32tm. The above command will set the domain hierarchie for the time and running it once should be enough.

    Check my article about the time for some clarification and what to do with the old and new PDCEmulator:

    http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 1, 2010 11:06 AM
  • James - make sure to transfer the PDC Emulator role to the newly promoted Windows Server 2008 R2 DC. This will designate it as the time source for the domain. You might want to also restart w32time service or run w32tm /config /update on both the newly promoted DC and the previous

    Btw. net time command (while sometimes convenient) is of limited use - majority of time-related operations should bey carried out with w32tm (more at http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx)

    hth
    Marcin

    • Marked as answer by severniae Thursday, July 1, 2010 2:17 PM
    Thursday, July 1, 2010 11:06 AM
  • Ah, I feel somewhat foolish. It seems that the date of the new DC was set to december 1st 09!

    Am I correct in assuming that would have been the source of my issues?

    Thanks for all your help guys!

    Thursday, July 1, 2010 11:20 AM
  • One other point, slightly off the origional topic I know. Since now being able to get into AD, I decided to have a look at sides and services to see the NTDS settings. It seems that the two older servers are replicating to each other, and replicating from the new 08 server. However the 08 server is only replicating to the two older servers, and nothing is replicating to it. Is this normal? And am I correct in thinking that this means that any changes that I make on the old DC's won't be replicated over to the new one?
    Thursday, July 1, 2010 11:28 AM
  • This certainly would cause the problem with the time skew...

    hth
    Marcin

    Thursday, July 1, 2010 11:58 AM
  • No - it's not normal. How did you determine that the replication is not occuring?

    Can you post the output of repadmin /replsummary and repadmin /showrepl (the latter from all three DCs)?

    hth
    Marcin

    Thursday, July 1, 2010 12:01 PM
  • Appologies. The entries have now appeared! Looks like it took a little while for everything to reset itself up after eveything went skew!

    So, am I correct in thinking that it should be the PDC emulator that will set the time to all the other DC's on the domain? - Plus, would you happen to know the w32tm command to query the server that is currently hosting the time?

     

    Thanks Marcin, you've been of tremendous help!

    Thursday, July 1, 2010 1:23 PM
  • Hello,

    it is always the PDCEmulator in the domain which is the time source, "netdom query fsmo" will show you. See my article about, link posted above, reconfiguration the old and new PDCEmulator


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 1, 2010 1:41 PM
  • That's correct. By default, PDC emulator serves as the authoritiative time source for all domain member computers. Use w32tm /monitor to list the time sources and search for an entry with offset 0 (or check the value of RefID parameter)

    hth
    Marcin

    • Marked as answer by Bruce-Liu Friday, July 2, 2010 8:51 AM
    Thursday, July 1, 2010 1:42 PM