User profile for user: jemmo
jemmo Author
User level: Level 1
10 points

Active Directory Time Error

The last 3 days or so random Macs from our 350 or so here have been falling off our Active Directory domain. When trying to unbind/rebind them Directory Utility tells me all about how AD "only permits slight variations between clocks on your computer and the AD server." This I know - Kerberos will only allow up to 5 mins difference between a workstation and the server. For this reason we sync the server (main domain controller) with a network time service, and sync all workstations and other servers to that server. This has never been a problem, and indeed works fine - the time on the workstation exactly matches the server time/time zone/date, etc.

So why is the AD plugin (and Kerberos) telling me that the clocks are out of sync when they patently are not?

This is happening with Macs of all kinds - 10.3 to 10.5, Intels, PPCs, everything.

My current workaround is to stop the Mac getting its time from the server, changing the clock by a couple of seconds, and then re-binding. This generally works. The odd ones that this doesn't work on, or that fall off the domain again within 24 hours, I've removed from AD and have given local logins to for now. I'm getting to the point where I just want to scrap AD integration and get every machine locally authenticating!

Our AD guys swear there have been no patches or changes on their end. I am equally certain there have been no changes to the Macs. So what could it be???

All sorts, Mac OS X (10.4.11)

Posted on Mar 6, 2008 10:56 AM

Reply
2 replies
User profile for user: ChirpyT
ChirpyT
User level: Level 1
10 points

Mar 24, 2008 6:00 AM in response to jemmo

Oddly enough, we were having the same problem on our campus, and your email helped (in a very strange way) us find a solution.

Our two AD servers clocks' were off! One by 2.5 minutes, one by 5.5! Check the log on the AD server and see if it's had trouble connecting to it's time server. Once we told both AD servers what time it was (cue bad Chicago song) all the log in problems went away.

Hope this helps you out.
Reply
User profile for user: jemmo
jemmo Author
User level: Level 1
10 points

Mar 27, 2008 8:06 AM in response to ChirpyT

Thank you, this has (again, indirectly) solved the problem. I had asked out network administrator to check the time on both domain controllers a couple of weeks ago when the issue started. He had only checked the primary, assuming that the second DC was syncing time with that. Your helpful post prompted me to go check it myself and found a 6 minute difference between the two. Manually resetting the second DC to the same time as the first fixed the problem.

Now Mr Network Admin is left with the task of working out why dc2 isn't getting the right time. Me, I'm thankful that it's not my problem any more and just have the task of rebinding 60 or 70 machines.

Thanks!
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Active Directory Time Error

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up