π ~1 min read
Table of contents
Symptom & Impact
Users and services fail authentication when server clocks drift beyond Kerberos tolerance. Scheduled tasks and service tickets stop renewing reliably. Domain trust paths can appear intermittently broken between sites.
Quick Checks
Confirm current skew, NTP source hierarchy, and domain role of each affected server.
w32tm /query /status
w32tm /query /peers
Get-Date
nltest /dsgetdc:contoso.localDeep Diagnosis
Inspect Event IDs for clock correction failures, virtual host sync conflicts, and unreachable upstream peers.
Get-WinEvent -LogName System -MaxEvents 120 | Where-Object {$_.ProviderName -eq 'Microsoft-Windows-Time-Service'}
reg query HKLMSYSTEMCurrentControlSetServicesW32TimeParameters
w32tm /stripchart /computer:time.windows.com /samples:5 /dataonlyPrimary Fix
Set authoritative NTP sources on PDC emulator and force clean resync across member servers.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
w32tm /config /manualpeerlist:'0.pool.ntp.org,0x8 1.pool.ntp.org,0x8' /syncfromflags:manual /reliable:yes /update
Restart-Service w32time
w32tm /resync /forceVerification
Skew should remain within policy limits and Kerberos-related auth failures should stop.
w32tm /query /status
Get-WinEvent -LogName Security -MaxEvents 50 | Where-Object {$_.Id -in 4768,4771}Prevention & Hardening
Enforce time hierarchy standards and monitor stratum changes or large corrections in near real time.
w32tm /monitor
Get-Counter 'W32TimeNTP Roundtrip Delay'
Get-Counter 'W32TimeComputed Time Offset'
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
