After returning to work from vacation over Christmas/New Years, I discovered some – but not all – servers had time issues. Specifically, some servers were behind by about a minute and a half. For some background, I moved our FSMO roles to our secondary site in early December so that we could rewire our primary data center (mission accomplished…). Those roles are still in our secondary data center. All domain controllers are Windows Server 2012 R2. A step was missed, however, in that our previous FSMO domain controller was also our NTP server. This means the server that verified time outside of our domain was no longer holding the PDC Emulator role…..and time started to drift.
Since we have stayed under the threshold for Kerberos failure (about 4 minutes from what I can tell), this has not manifested in any “real” issue yet. I also tracked down the reason some servers were “on time” (i.e. they were synced with the original domain controller, which was still accurate) and some were “behind” (they were synced with the “new” primary domain controller). An old GPO was pointing these few servers to the wrong place….
Quick fix – after hours, migrate the roles back to the original site since we’re done with the rewire. Reduce the polling interval to 900 from the current 3600. Manually sync the other domain controllers, and in 15 minutes all should be synced and back to normal. Longer term we will retire the old GPO and document “time” changes for the next time we fail over these roles.
Here are a few helpful links: