🟠 High   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2019

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Users and services intermittently fail authentication due to clock skew beyond Kerberos tolerance.

Environment & Reproduction

Windows Server 2019 domain with invalid upstream NTP configuration or VM host time conflicts.

w32tm /query /status
w32tm /monitor

Root Cause Analysis

PDC emulator uses incorrect time source or members sync from unreliable virtualization hosts.

Quick Triage

Identify authoritative time source and check current offset from DCs.

netdom query fsmo
w32tm /query /peers

Step-by-Step Diagnosis

Inspect W32Time configuration on PDC and compare offsets across critical servers.

w32tm /query /configuration
Get-WinEvent -LogName System -MaxEvents 80 | Where-Object ProviderName -eq 'Microsoft-Windows-Time-Service'
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
Time service and offset checks β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Set reliable external NTP peers on PDC emulator and force hierarchy resync.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

w32tm /config /manualpeerlist:'0.pool.ntp.org,0x8 1.pool.ntp.org,0x8' /syncfromflags:manual /reliable:yes /update
Restart-Service w32time
w32tm /resync /rediscover
Illustrative mockup for windows-server-2019 β€” event_or_log_viewer
Kerberos and W32Time events β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use internal hardware NTP appliance if internet NTP is restricted.

w32tm /config /manualpeerlist:'10.10.0.50,0x8' /syncfromflags:manual /update

Verification & Acceptance Criteria

Offsets are within acceptable range and Kerberos errors stop.

w32tm /monitor
Get-WinEvent -LogName System -MaxEvents 30 | Where-Object Message -match 'Kerberos'

Rollback Plan

Revert to previous peer list if new NTP source is unstable.

w32tm /config /syncfromflags:domhier /update

Prevention & Hardening

Audit time configuration after virtualization host updates and DC role changes.

Get-ADDomainController -Filter * | ForEach-Object { w32tm /stripchart /computer:$_.HostName /samples:3 /dataonly }

Linked with KRB_AP_ERR_SKEW and AD replication inconsistencies.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Windows Time service and AD domain time hierarchy.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.