Be mindful of the Current Time

If you ever run into one of those messages “The current time on the computer and the current time on the network are different” when trying to log on, you will probably try to log on on the domain controller and try to assess in which amount the time got desynchronised in your domain or between domains in your forrest.  As you might know, Active Directory is picky about time, because the Kerberos authentication does not accept timestamps that differ more than 5 minutes between the machine that is trying to host the login and the domain controller.

In one such case, I could log into the domain controller with an administrative account in the domain of the domain controller.  However, when trying to log into the domain controller with a account from a trusted domain, I kept getting the same error message and denied logon.  The domain controller is hosted off-site in another timezone.

I made sure both domain controllers were synchronised correctly, manually corrected the time (which was already synchronous) and even rebooted the faulty domain controller.

It was only until I went to check the Timezone settings that I found something peculiar: the time zone settings indicated that the location was 3 hours ahead of GMT, while my location was 1 hour ahead.  And still, the difference between my location’s time and the culprit’s location was only one hour.

Again, the error was in a Daylight Saving Time setup which was outdated as described in one of my previous posts, and the local admin manually correcting the time into a time which was actually one hour behind our domain’s time.

You can use the following Microsoft Knowledge Base article to read up on making sure your domains are up to date with new Timezone settings: http://support.microsoft.com/kb/914387/en-us

 

wooter

 

Leave a Reply

css.php
%d