The eventlogs on some of our MS Machines show very weird Kerberos errors:

For example we get 0xc KDC_ERR_POLICY errors, which indicate that the "Requested start time is later than end time" and in fact the client and server times shown in the error are extremly different.
Client Time: 2:18:7.0000 5/25/2025 Z 
Server Time: 12:51:57.0000 2/23/2016 Z 
Error Code: 0xc KDC_ERR_POLICY
The problem is:

a) the time on all servers looking at the gui is correct (nowhere near 2022) and
b) the (client) times in these errors jump into the past and future, so it is not consistently wrong.

Here is the setup:

2 dsfw-servers (Vmware VMs, sles11sp3+oes11sp2)
* sync their time against our internal ntp-servers

The MS-Servers in the domain sync against one of the dsfw-servers with the following parameters configured via gpo:

ntpserver: <dnsOfdsfwserver>,0x09
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackoffMaxTimes: 7
SpeciallPollintervall: 3600
eventlogflags: 0

a) is the setup correct?
b) Should we change the Type to NT5DS?

Any further suggestions?