Domain Time Slave Server logs report "Could not get time: error 87: The parameter is incorrect" or "Unable to fetch machine RID" warnings.
You may also see "WARNING: Slave could not contact master; attempting to fall back to cached list of master's servers" messages. The Slave
will be unable to synchronize time with the Master Server.
By default, when Domain Time Server is installed on Domain Controllers and are configured in the Slave role,
communication between a Domain Time Slave and its Master uses Windows Authentication, which uses the unique Windows SID/RID of the machine
to create a symmetric key that authenticates time packets. This key value is known both to the DC running as Master and to the machine
running the Slave.
However, if the SID/RID values on the Master and Slave(s) do not match, authentication cannot occur and synchronization fails.
This can happen on machines moved from other domains, or after newer patches or updates to the operating system which cause problems
obtaining the RID from the RPC Server service.
The simplest fix is simply to tell the Domain Time Slave to not request authentication from the Master. To do this,
open the Domain Time Server applet on the Slave, select the Obtain the Time property page and uncheck the
Authenticate time samples checkbox.
Alternately, you can change the Domain Role of the Slave to Independent Server
and manually configure the Server to get its time from the Master directly.
After making either of these changes, the machine will now be able to synchronize with the Master server and operate correctly.