This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 98%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
I am the administrator of an Active Directory that consists of 4 domain controllers. 3 of them are Windows 2012 R2, and one Windows 2008 R2. Our Palo Alto firewall is ntp time syncronized against the PDC domain controller, one of the Windows 2012 R2. Yesterday I removed the Windows 2008 R2 DC, and set it one DC under Windows 2019. I gave the same name and IP than the removed server, but firts, I assured that no rests of the older domain controller was in the domain. Everything works well, except the NTP Palo alto against Windows 2012 Domain controller. PDC is configured as authoritative NTP server, synchronized correctly against external NTP servers, and the rest of Domain Controllers, Member servers and client domain computers are configured with default settings, I.E NT5DS, and everything works perfect. But Palo Alto throws a 'rejected' error when use Windows PDC time server as NTPServer. The logs says 'Authentication error'. The same error occurs if we configure any of the domain controllers as NTP provider in Palo Alto configuration. The only way to syncronize Palo Alto is using external servers. Is there any way to solve this? Why yesterday worked well and today it doesn't? What can have changed? Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
You should be sure that you don't have network flow blocked. you can download the free tools provided by Microsoft to do check if the NTP port is well opened:
https://www.microsoft.com/en-us/download/details.aspx?id=24009
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Not clear but it sounds like the palo alto firewall no longer can get time from PDCe? If so I'd probably ask the firewall hardware vendor for help.
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
According to our description, everything works perfect except the Palo Alto firewall throws error. Agree with Dave, it is suggested that we could contact the firewall vendor for assistance.
Thanks for your time and support.
Best regards,
Hannah Xiong
Thanks for your help. A restart of NTP Domain controller server made it work again.