PROBLEM

Domain member service reports the following when attempting to RDP from any Windows 10 workstation on the same domain or any Windows client from an external source:

• Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computer’s clock is set to the correct time, and then try connecting again. If the problem occurs again, contact your network administrator or the owner of the remote computer.

Member Server Event Log contains:

• EVENTID 5719. This computer was not able to set up a secure session with a domain controller in domain due to the following: The RPC server is unavailable.

• EVENTID 1054. The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

ENVIRONMENT

MEMBER SERVER

• This is the only server exhibiting the issue.
• Windows Server 2012 Standard R2.
• File server.
• SQL server.
• Event log reports errors above.
• Cannot RDP to server when issue occurs.
• DNS address set as PDC and SDC IP addresses.

PDC

• Windows Server 2012.
• Holds all FSMO roles.
• GC.
• Windows Firewall disabled for testing.
• No ERRORS reported, operating normally.
• AD services.
• DNS service.
• WINS service.
• Can RDP to all nodes and autheticate with domain user credentials.

SDC

• Windows Server 2016.
• GC.
• Windows Firewall disabled for testing.
• No ERRORS reported, operating normally.
• AD services.
• DNS service.
• WINS service.
• Can RDP to all nodes and autheticate with domain user credentials.

EXCHANGE SERVER

• Windows Server 2008.
• Exchange Server 2007
• Also added as a member server.
• No ERRORS reported, operating normally.
• Can RDP to all nodes and autheticate with domain user credentials.

WINDOWS 10 CLIENTS

• All Windows 10 clients operating normally.
• Can RDP to all nodes and autheticate with domain user credentials.

Some further information that maybe important:

• I had another domain controller that died (vserver). It was manually removed from the domain using the correct procedure (meta data remove, transfer roles, delete from DNS etc). Satifited this is no longer and issue. Server name has not appeared in any error logs. DCDIAG on existing domain controller (PDC, SDC) reports no errors. This was many months ago.

• When the domain controller (vserver) died workstations reported time sync issues. This was resolved on all client work stations using the W32TM commands detailed below many months ago. This W32TM has not resolved has not resolve the issue with the problematic member server issues documented here.

DEBUGGING

MEMBER SERVER

• I can RDP and authenticate as a local user on the server when the issue occurs.
• I cannot RDP and authenticate as a domain user on the server when the issue occurs.
• If I reboot the server the issue is resolved for 24 hours approx.
• Ensuring network firewall allows time queries to external sources.
• W32tm /resync /rediscover (all executed elevated).
• W32tm /query /configuration.
• W32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update.
• w32tm /config /syncfromflags:domhier.
• net stop w32time && net start w32time.
• GPUPDATE does not resolve the problem.
• NIC settings have the DNS and WINS address set as PDC and SDC server IP addresses.
• Removed from the domain , domain join again using wizard tools.
• When the issues occurs NSLOOKUP will resolve internal sever.internal.com domain addresses.
• When the issues occurs NSLOOKUP will resolve internal extenal domain addresses.
• When the issues occurs google Chrome deployed on the server will not display a web page. DNS confirmed operatinal via NSLOOKUP. I have seen this behaviour from workstation that deployed the application FIDDLER as the IE PROXY address is set to the machine loopback IP. Confirmed FIDDLER not installed on this member server.
• See REF1. Tested MMC, connect to computer , load SECURITY LOG.
• Set GROUP POLICY to allow Allow Remote Administration Exception and Allow File and Printer Sharing Exception.
• Confirm Windows Management Instrumentation service running domain controllers and member server.
• Confirm TCP/IP NetBIOS Helper service is running on domain controllers and member server.
• Confirm Remote Procedure Call service is running on domain controllers and member server.
• See REF2. Enabled `FAST LINK' on servers managed switch port.

Member Server w32tm /query /configuration results

[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Local)
MaxPollInterval: 15 (Local)
MaxNegPhaseCorrection: 4294967295 (Local)
MaxPosPhaseCorrection: 4294967295 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 30000 (Local)

[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: AllSync (Local)
NtpServer: time.windows.com (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)

Member Server w32tm /query /status result:

Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1455078s
Root Dispersion: 0.0777873s
ReferenceId: 0x0D4FEF45 (source IP:  13.79.239.69)
Last Successful Sync Time: 05/07/2017 13:31:40
Source: time.windows.com
Poll Interval: 12 (4096s)

Member Server RPCping result:

Completed 1 calls in 15 ms
66 T/S or  15.000 ms/T

Granted these tests above were performed several hours post reboot when the issue has not reoccurred yet. I can repeat the test and post the results upon reoccurrence.

PDC

• DCDIAG reports no issues.
• NSLOOKUP resolves internal and external addresses.

PDC w32tm /query /status result:

Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1517181s
Root Dispersion: 0.0426882s
ReferenceId: 0x338D2033 (source IP:  51.141.32.51)
Last Successful Sync Time: 05/07/2017 13:18:51
Source: time.windows.com
Poll Interval: 10 (1024s)

SDC

• DCDIAG reports no issues.
• NSLOOKUP resolves internal and external addresses.

SUMMARY

Seems clear its a time sync issue. I believe that is everything I have tried to date to debug and resolve this issue, will EDIT if I can remember anything else. Thank you for any help (desk / head / bang ). Keen to understand the root cause.

Scott

REFERENCES

REF1. http://social.technet.microsoft.com/wiki/contents/articles/4494.troubleshooting-the-rpc-server-is-unavailable.aspx

REF2. Spanning Tree blocking DHCP requests in Windows/BOOTP

REF2. https://nchrissos.wordpress.com/2013/04/26/configuring-time-on-windows-2008-r2-servers/

UPDATE-1

Edited following the comment from Joeqwerty (thank you Joe).

Current State

• No reocurence of this issue to date , approx 24 hours since this article was posted.
• No reboots.

Amendment

However the following change has been applied now (see REF3) on the problematic MEMBER SERVER:

• Reg Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type=NTP amended from NTP to NT5DS

• Windows Time service restarted..

• Output of w32tm /query /configuration now shows:

  [TimeProviders]
  NtpClient (Local)
  DllName: C:\Windows\system32\w32time.DLL (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  CrossSiteSyncFlags: 2 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  ResolvePeerBackoffMinutes: 15 (Local)
  ResolvePeerBackoffMaxTimes: 7 (Local)
  CompatibilityFlags: 2147483648 (Local)
  EventLogFlags: 1 (Local)
  LargeSampleSkew: 3 (Local)
  SpecialPollInterval: 3600 (Local)
  Type: NT5DS (Local)
  

• GPUPDATE applied

• Type: NT5DS (Local) still displayed when checking w32tm /query /configuration.

I need to leave this for a few days and try a reboot before I can confirm the issue has been resolved.

UPDATE-2

• Issue just reoccurred. An admin rebooted it before I could run any tests.
• On reboot w32tm /query /configuration still shows Type: NT5DS (Local)
• Will report back Monday.

• FYI w32tm /query /status

  Leap Indicator: 0(no warning)
  Stratum: 4 (secondary reference - syncd by (S)NTP)
  Precision: -6 (15.625ms per tick)
  Root Delay: 0.1827698s
  Root Dispersion: 7.8574884s
  ReferenceId: 0xC0A80103 (source IP:  192.168.1.3)
  Last Successful Sync Time: 06/07/2017 16:29:58
  Source: PDC.MYDOMAIN.COM
  Poll Interval: 10 (1024s)
  

Sorry for all the text.

UPDATE-3

No reoccurence of the RDP error document above yet but posted an update to highlight that at 0200 UTC the Member Server event log again started to report the EVENTID errors documented at the start of this thread chiefly:

• 5719. SOURCE NETLOGON. This computer was not able to set up a secure session with a domain controller in domain due to the following: The RPC server is unavailable.
• 1054. SOURCE GROUP POLICY. The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

In the past I found this was a precursor to the RDP connection / time sync problem given enough time.

In response I execute the following all from the MEMBER SERVER experiencing the issue:

• w32tm /query /status

  Leap Indicator: 0(no warning)
  Stratum: 4 (secondary reference - syncd by (S)NTP)
  Precision: -6 (15.625ms per tick)
  Root Delay: 0.8504282s
  Root Dispersion: 0.3015940s
  ReferenceId: 0xC0A80103 (source IP:  192.168.1.3)
  Last Successful Sync Time: 07/07/2017 06:08:58
  Source: PDC.MYDOMAIN.COM
  Poll Interval: 13 (8192s)
  

• w32tm /query /configuration

  [Configuration]
  EventLogFlags: 2 (Local)
  AnnounceFlags: 10 (Local)
  TimeJumpAuditOffset: 28800 (Local)
  MinPollInterval: 10 (Local)
  MaxPollInterval: 15 (Local)
  MaxNegPhaseCorrection: 4294967295 (Local)
  MaxPosPhaseCorrection: 4294967295 (Local)
  MaxAllowedPhaseOffset: 300 (Local)
  
  FrequencyCorrectRate: 4 (Local)
  PollAdjustFactor: 5 (Local)
  LargePhaseOffset: 50000000 (Local)
  SpikeWatchPeriod: 900 (Local)
  LocalClockDispersion: 10 (Local)
  HoldPeriod: 5 (Local)
  PhaseCorrectRate: 1 (Local)
  UpdateInterval: 30000 (Local)
  
  [TimeProviders]
  NtpClient (Local)
  DllName: C:\Windows\system32\w32time.DLL (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  CrossSiteSyncFlags: 2 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  ResolvePeerBackoffMinutes: 15 (Local)
  ResolvePeerBackoffMaxTimes: 7 (Local)
  vCompatibilityFlags: 2147483648 (Local)
  EventLogFlags: 1 (Local)
  LargeSampleSkew: 3 (Local)
  SpecialPollInterval: 3600 (Local)
  Type: NT5DS (Local)
  
  NtpServer (Local)
  DllName: C:\Windows\system32\w32time.DLL (Local)
  Enabled: 0 (Local)
  InputProvider: 0 (Local)
  VMICTimeProvider (Local)
  DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
  Enabled: 0 (Local)
  InputProvider: 1 (Local)
  

• RPCping

  Completed 1 calls in 1 ms
  1000 T/S or   1.000 ms/T
  

• Net time /Domain:mydomain.com.com

  Current time at \\PDC.MYDOMAIN.COM is 07/07/2017 06:51:29
  

• w32tm /query /source

  PDC.MYDOMAIN.COM
  

• W32tm /monitor /domain:mydomain.com

  PDC.MYDOMAIN.COM *** PDC ***[192.168.1.3:123]:
  ICMP: 0ms delay
  NTP: +0.0000000s offset from PDC.MYDOMAIN.COM
  RefID: (unknown) [0x33208D33]
  Stratum: 3
  SDC.MYDOMAIN.COM.COM[192.168.1.1:123]:
  ICMP: 0ms delay
  NTP: -0.0013367s offset from PDC.MYDOMAIN.COM
  RefID: PDC.MYDOMAIN.COM [192.168.1.3]
  Stratum: 4
  
  Warning:
  Reverse name resolution is best effort. It may not be
  correct since RefID field in time packets differs across
  NTP implementations and may not be using IP addresses.
  

The amended NT5DS settings are still in place. Give it a few hours and the RDP issues will reoccur. Not sure where to go from here sorry.

UPDATE-4

In response to Drifter104 , please find below the output of IPCONFIG/ALL for each node:

MEMBER SERVER

Windows IP Configuration
Host Name . . . . . . . . . . . . : memberserver
Primary Dns Suffix  . . . . . . . : mydomain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.com

Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 330i Adapter
Physical Address. . . . . . . . . : 28-80-23-90-ED-D8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.25
DNS Servers . . . . . . . . . . . : 192.168.1.1
                                    192.168.1.3
Primary WINS Server . . . . . . . : 192.168.1.1
Secondary WINS Server . . . . . . : 192.168.1.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{C78DD9B1-685E-4DB0-BE2C-79D92494D094}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

PDC

Windows IP Configuration
Host Name . . . . . . . . . . . . : PDC
Primary Dns Suffix  . . . . . . . : mydomian.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.COM

Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 332i Adapter #2
Physical Address. . . . . . . . . : 64-51-06-0D-EE-C9
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2440:bffc:b999:f930%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::217:c5ff:fe28:91cc%12
                                   192.168.1.25
DHCPv6 IAID . . . . . . . . . . . : 207900934
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-53-B2-D2-64-51-06-0D-EE-C9
DNS Servers . . . . . . . . . . . : 192.168.1.3
                                   192.168.1.1
                                   127.0.0.1
Primary WINS Server . . . . . . . : 192.168.1.1
Secondary WINS Server . . . . . . : 192.168.1.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{0C6841BD-69AB-491B-819B-9167B188139A}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

SDC

Windows IP Configuration
Host Name . . . . . . . . . . . . : SDC
Primary Dns Suffix  . . . . . . . : mydomain.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.COM

Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 332i Adapter
Physical Address. . . . . . . . . : 64-51-06-0D-EA-B8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e006:41b6:be7c:e580%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::217:c5ff:fe28:91cc%2
                                   192.168.1.25
DHCPv6 IAID . . . . . . . . . . . : 56905990
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-E6-6B-A7-64-51-06-0D-EA-B8
DNS Servers . . . . . . . . . . . : ::1
                                   192.168.1.1
                                   192.168.1.3
Primary WINS Server . . . . . . . : 192.168.1.3
Secondary WINS Server . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{0A5E9C3A-B92E-4114-B0BF-5A30BCA821D7}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

MEMBER SERVER

WINS addresses removed on response to comment.

Windows IP Configuration
Host Name . . . . . . . . . . . . : memberserver
Primary Dns Suffix  . . . . . . . : mydomain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.com

Ethernet adapter Ethernet:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 330i Adapter
Physical Address. . . . . . . . . : 28-80-23-90-ED-D8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.25
DNS Servers . . . . . . . . . . . : 192.168.1.1
                                    192.168.1.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{C78DD9B1-685E-4DB0-BE2C-79D92494D094}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Will power cycle the machine shortly.

UPDATE-5 10/07/17

72 hours since the last update the issue has recurred. RDP and attempt to authenticate with the domain administrator user results in:

Remote Desktop cannot verify the identity of the remote computer because there is a time or date difference between your computer and the remote computer. Make sure your computer’s clock is set to the correct time, and then try connecting again. If the problem occurs again, contact your network administrator or the owner of the remote computer.

• Login as a local member service admin is successful.

• w32tm /query /status

  Leap Indicator: 0(no warning)
  Stratum: 4 (secondary reference - syncd by (S)NTP)
  Precision: -6 (15.625ms per tick)
  Root Delay: 0.1826172s
  Root Dispersion: 0.1925883s
  ReferenceId: 0xC0A80103 (source IP:  192.168.1.3)
  Last Successful Sync Time: 10/07/2017 04:27:51
  Source: PDC.MYDOMAIN.COM
  Poll Interval: 15 (32768s)
  

• w32tm /query /configuration

  [Configuration]
  EventLogFlags: 2 (Local)
  AnnounceFlags: 10 (Local)
  TimeJumpAuditOffset: 28800 (Local)
  MinPollInterval: 10 (Local)
  MaxPollInterval: 15 (Local)
  MaxNegPhaseCorrection: 4294967295 (Local)
  MaxPosPhaseCorrection: 4294967295 (Local)
  MaxAllowedPhaseOffset: 300 (Local)
  
  FrequencyCorrectRate: 4 (Local)
  PollAdjustFactor: 5 (Local)
  LargePhaseOffset: 50000000 (Local)
  SpikeWatchPeriod: 900 (Local)
  LocalClockDispersion: 10 (Local)
  HoldPeriod: 5 (Local)
  PhaseCorrectRate: 1 (Local)
  UpdateInterval: 30000 (Local)
  
  [TimeProviders]
  NtpClient (Local)
  DllName: C:\Windows\system32\w32time.DLL (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  CrossSiteSyncFlags: 2 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  ResolvePeerBackoffMinutes: 15 (Local)
  ResolvePeerBackoffMaxTimes: 7 (Local)
  CompatibilityFlags: 2147483648 (Local)
  EventLogFlags: 1 (Local)
  LargeSampleSkew: 3 (Local)
  SpecialPollInterval: 3600 (Local)
  Type: NT5DS (Local)
  
  NtpServer (Local)
  DllName: C:\Windows\system32\w32time.DLL (Local)
  Enabled: 0 (Local)
  InputProvider: 0 (Local)
  VMICTimeProvider (Local)
  DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
  Enabled: 0 (Local)
  InputProvider: 1 (Local)
  

• RPCping

  Exception 1722 (0x000006BA)
  Number of records is: 10
  ProcessID is 65644
  System Time is: 7/10/2017 6:7:3:935
  Generating component is 18
  Status is 0x6BA, 1722
  Detection location is 1442
  Flags is 0
  NumberOfParameters is 1
  Unicode string:
  ProcessID is 65644
  System Time is: 7/10/2017 6:7:3:935
  Generating component is 18
  ETC .... (large result)
  

• Net time /Domain:mydomain.com.com

  The service has not been started.
  

• w32tm /query /source

  PDC.mydomain.COM
  

• W32tm /monitor /domain:mydomain.com

  GetDcList failed with error code:  0x800706BA.
  Exiting with error 0x800706BA
  

Progress of sorts.

• DCDIAG ON PDC. There is a "pointer device" exception which is not relevant and will clear.

  Directory Server Diagnosis
  
  Performing initial setup:
     Trying to find home server...
     Home Server = PDC
     * Identified AD Forest.
     Done gathering initial info.
  
  Doing initial required tests
  
     Testing server: Default-First-Site-Name\PDC
        Starting test: Connectivity
           ......................... PDC passed test Connectivity
  
  Doing primary tests
  
     Testing server: Default-First-Site-Name\PDC
        Starting test: Advertising
           ......................... PDC passed test Advertising
        Starting test: FrsEvent
           ......................... PDC passed test FrsEvent
        Starting test: DFSREvent
           ......................... PDC passed test DFSREvent
        Starting test: SysVolCheck
           ......................... PDC passed test SysVolCheck
        Starting test: KccEvent
           ......................... PDC passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... PDC passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... PDC passed test MachineAccount
        Starting test: NCSecDesc
           ......................... PDC passed test NCSecDesc
        Starting test: NetLogons
           ......................... PDC passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... PDC passed test ObjectsReplicated
        Starting test: Replications
           ......................... PDC passed test Replications
        Starting test: RidManager
           ......................... PDC passed test RidManager
        Starting test: Services
           ......................... PDC passed test Services
        Starting test: SystemLog
    A warning event occurred.  EventID: 0x80000109
                      Time Generated: 07/10/2017   07:15:13
              Event String: A pointer device did not report a valid unit of angular measurement.
           A warning event occurred.  EventID: 0x80000101
              Time Generated: 07/10/2017   07:15:13
              Event String: A pointer device reported a bad angular         physical range.
           ......................... PDC passed test SystemLog
        Starting test: VerifyReferences
           ......................... PDC passed test VerifyReferences
  
  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test         CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test         CrossRefValidation
  
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test         CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test         CrossRefValidation
  
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
  
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test         CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test         CrossRefValidation
  
     Running partition tests on : MYDOMAIN
        Starting test: CheckSDRefDom
           ......................... MYDOMAIN passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... MYDOMAIN passed test CrossRefValidation
  
     Running enterprise tests on : MYDOMAIN.com
        Starting test: LocatorCheck
           ......................... MYDOMAIN.com passed test LocatorCheck
        Starting test: Intersite
           ......................... MYDOMAIN.com passed test Intersite
  

The member server is showing that it's using type AllSync and syncing with an external time source (time.windows.com). It should be using type NT5DS and syncing with one of the DC's. You should reconfigure w32time on the member server to fix that.