I'm new to this environment and unsure where to begin with some replication and time sync issues between two domain controllers. One (DC1) is a physical server with all the FSMO roles, and the other (DC2) is a virtual server running on DC1. When I run 'dcdiag' on DC1, I see several troubling errors regarding replication failures and time discrepancies. The errors indicate that DC2 seems unavailable, and some are pointing to Kerberos issues and time differences between servers. I've tried adjusting GPOs and running various time commands, but I'm still stuck. Any advice would be greatly appreciated!
3 Answers
It sounds like you might need to clarify which server has the accurate time and what NTP server you're targeting. If this is a production environment, consider removing DC2 since it appears to be causing more issues than it's worth. It's not doing its job and doesn't hold any FSMO roles. Just be cautious if you decide to go that route!
Before diving deeper into your configuration, make sure to check the actual time on both servers. Sometimes the virtual machine gets behind due to resource contention. If possible, set one server as the NTP source and enable time sync with the host for the VM. Also, keep an eye on your virtual CPUs; don't overload the physical host. Just a heads up to try these basic checks before anything else!
I checked the VM and host, and they both show the same time in Windows.
Check the DNS settings for both domain controllers—what are they using? Ensure that they point to each other and to localhost for backups. If they're synced to their local time sources, verify the time source with the command 'w32tm /query /source'. If everything else fails, consider demoting DC2, moving its file duties, and setting up a proper secondary DC. Good luck, it's a tricky situation!
They both have DNS configured to point to each other and themselves. I was thinking of checking the BIOS time on DC1—I'll report back what I find!
Both servers display the same time. I can't just turn off DC2 because it's also acting as our file server. Could I simply demote it to fix this?