This article applies to Domain Time II.

Last Updated: 18 October 2022

Problem and Symptoms

Domain Time Slave Server logs report "Could not get time: error 87: The parameter is incorrect" or "Unable to fetch machine RID" warnings. You may also see "WARNING: Slave could not contact master; attempting to fall back to cached list of master's servers" messages. The Slave will be unable to synchronize time with the Master Server.

Cause

By default, when Domain Time Server is installed on Domain Controllers and are configured in the Slave role, communication between a Domain Time Slave and its Master uses Windows Authentication, which uses the unique Windows SID/RID of the machine to create a symmetric key that authenticates time packets. This key value is known both to the DC running as Master and to the machine running the Slave.

However, if the SID/RID values on the Master and Slave(s) do not match, authentication cannot occur and synchronization fails. This can happen on machines moved from other domains, or after newer patches or updates to the operating system which cause problems obtaining the RID from the RPC Server service.

Solution

The simplest fix is simply to tell the Domain Time Slave to not request authentication from the Master. To do this, open the Domain Time Server applet on the Slave, select the Obtain the Time property page and uncheck the  Authenticate time samples checkbox.

Alternately, you can change the Domain Role of the Slave to Independent Server and manually configure the Server to get its time from the Master directly.

After making either of these changes, the machine will now be able to synchronize with the Master server and operate correctly.