KB2005.1104
Problem: Windows Time clients do not synchronize with Windows domain controller running Domain Time II

This article applies to Domain Time II.

Last Updated: 4 November 2010

Problem

    Windows Time clients do not synchronize with Windows domain controller running Domain Time II.

Details

    You may also see one or more of the following messages in the event logs:

    • Event ID: 53 NTP server [machine name] returned an incorrectly signed time stamp

    • Event ID: 54 The Windows Time Service was not able to find a Domain Controller.

    • Event ID: 56 The Domain Controller [machine name] in [domain] returned an incorrectly signed time stamp

Background

    With Windows 2003 Server, Microsoft introduced several changes to the included w32time service. One of the effects of these changes is that machines running w32time clients in NT5DS mode can only locate secondary domain controllers where w32time is advertising itself as a reliable time server.

    In addition, with Service Pack 1, Microsoft further changed the behavior of Windows Time service (w32time) on Windows 2003 Server domain controllers to require the use of undocumented signed time extensions when communicating with w32time clients using NTP. This causes Windows Time clients to refuse time provided by any standard NTP time source such as Domain Time, a hardware clock, a UNIX time server, etc.

    Since only one time service can listen and respond to NTP requests on a machine at one time, the default behavior for Domain Time II Server on versions earlier than v4.1 was to have the Domain Time service provide NTP (if the NTP protocol was enabled on the Domain Time control panel applet) and for the Windows Time service to be set so that it did not attempt to respond to NTP requests. However, with the changes to the Windows Time service introduced in Windows 2003 Server, it is necessary to allow the Windows Time service to provide NTP and for Domain Time to only serve other protocols.

    When installing or upgrading to Domain Time II Version 4.1 Server or Client, the software makes the necessary adjustments to w32time to allow it to synchronize properly with w32time systems using the NTP protocol, while still continuing to allow Domain Time to obtain the time from an external source, to manage the system clock accurately, and to serve time to Domain Time, Time ITP, and other time clients using their own protocols.

    For versions prior to v4.1, manual adjustment of registry parameters for both the Domain Time and Windows Time services on domain controllers is required.

Solutions

    Preferred: Upgrade to Domain Time II version 4.1 or later. On version 5.x or later, ensure that Windows Authentication is enabled.

     

    Workaround for versions prior to v4.1:
    The following registry changes must be made on every Windows 2003 Server domain controller running Domain Time II:

    HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time Server\Enabled Protocols

      Key: NTP/SNTP (RFC 1769)
      Value (reg_sz): False

    (if running Domain Time II Server)
    HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time Server\Parameters

      Key: Force Windows Time Startup
      Value (dword): 2

      Key: Force Windows Time State
      Value (reg_sz): NoSync

    (if running Domain Time II Client)
    HKEY_LOCAL_MACHINE\SOFTWARE\Greyware\Domain Time Client\Parameters

      Key: Force Windows Time Startup
      Value (dword): 2

      Key: Force Windows Time State
      Value (reg_sz): NoSync

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

      Key: AnnounceFlags
      Value (dword): 5

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

      Key: Type
      Value (reg_sz): NoSync

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient

      Key: Enabled
      Value (dword): 0

      Key: InputProvider
      Value (dword): 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer

      Key: Enabled
      Value (dword): 1

      Key: InputProvider
      Value (dword): 0

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2018 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.