KB2005.1104
Problem: Windows Time clients do not synchronize with Windows domain controller running Domain Time II
This article applies to Domain Time II.
Last Updated: 4 November 2010
Problem
Windows Time clients do not synchronize with Windows domain controller running Domain Time II.
Details
You may also see one or more of the following messages in the event logs:
- Event ID: 53
NTP server [machine name] returned an incorrectly signed time stamp
- Event ID: 54
The Windows Time Service was not able to find a Domain Controller.
- Event ID: 56
The Domain Controller [machine name] in [domain] returned an incorrectly signed time stamp
Background
With Windows 2003 Server, Microsoft introduced several changes to the included w32time service.
One of the effects of these changes is that machines running w32time clients in NT5DS mode can only locate
secondary domain controllers where w32time is advertising itself as a reliable time server.
In addition, with Service Pack 1, Microsoft further changed the behavior of Windows Time service (w32time)
on Windows 2003 Server domain controllers to require the use of undocumented signed time extensions
when communicating with w32time clients using NTP. This causes Windows Time clients to refuse time
provided by any standard NTP time source such as Domain Time, a hardware clock, a UNIX time server, etc.
Since only one time service can listen and respond to NTP requests on a machine at one time, the default
behavior for Domain Time II Server on versions earlier than v4.1 was to have the Domain Time service provide NTP
(if the NTP protocol was enabled on the Domain Time control panel applet) and for the Windows Time service to
be set so that it did not attempt to respond to NTP requests. However, with the changes to the Windows Time service
introduced in Windows 2003 Server, it is necessary to allow the Windows Time service to provide NTP and for Domain
Time to only serve other protocols.
When installing or upgrading to Domain Time II Version 4.1 Server or Client, the software makes the necessary adjustments
to w32time to allow it to synchronize properly with w32time systems using the NTP protocol, while still continuing to allow
Domain Time to obtain the time from an external source, to manage the system clock accurately, and to serve time to
Domain Time, Time ITP, and other time clients using their own protocols.
For versions prior to v4.1, manual adjustment of registry parameters for both the Domain Time and Windows Time services
on domain controllers is required.
Solutions
Preferred: Upgrade to Domain Time II version 4.1 or later. On version 5.x or later, ensure that Windows Authentication is enabled.
Workaround for versions prior to v4.1:
The following registry changes must be made on every Windows 2003 Server domain controller running Domain Time II:
HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time Server\Enabled Protocols
Key: NTP/SNTP (RFC 1769)
Value (reg_sz): False
(if running Domain Time II Server)
HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time Server\Parameters
(if running Domain Time II Client)
HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time Client\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key: AnnounceFlags
Value (dword): 5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Key: Type
Value (reg_sz): NoSync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer