A systems administrator is investigating intermittent authentication failures for users trying to access resources on a Linux server that is a member of an Active Directory domain. The administrator checks the security logs on the server and finds multiple Kerberos pre-authentication failed messages with the error code "Clock skew too great". Basic network connectivity and DNS resolution to the domain controllers are functioning correctly. Which of the following commands should the administrator use FIRST to diagnose the time synchronization issue on the Linux server?
The correct answer is timedatectl status. The "Clock skew too great" error in a Kerberos environment indicates that the time difference between the client (the Linux server) and the Key Distribution Center (the Active Directory domain controller) is larger than the configured tolerance, which is typically 5 minutes. The first step in troubleshooting is to verify the current time and NTP synchronization status. On modern Linux systems that use systemd, the timedatectl status command provides a comprehensive overview of the system clock, time zone, and whether NTP synchronization is active and successful.
w32tm /query /status is the equivalent command for checking the time service on a Windows server, not a Linux server.
ntpdate pool.ntp.org is a command used to perform a one-time manual synchronization of the clock. While it might fix the issue, the proper troubleshooting methodology is to first diagnose the problem's current state before making changes.
nslookup dc01.domain.local is a command to test DNS resolution. The scenario explicitly states that DNS is already working correctly, making this step redundant.