While replacing hardware in a branch office, you discover that a Windows Server 2022 virtual machine is online but no domain users can sign in through either the console or Remote Desktop. You can log on locally with the built-in Administrator account. Event Viewer shows repeated Audit Failure entries with error KRB_AP_ERR_SKEW and a System log Time-Service event ID 129. The VM's clock is more than five hours ahead of the domain controllers, and the Windows Time (w32time) service is currently Stopped. What should you do first to restore domain users' ability to log on to the server?
Start the Windows Time (w32time) service and force an immediate clock synchronization with a domain controller.
Remove the computer account from Active Directory and re-join the server to the domain.
Reset the passwords of affected user accounts and clear any lockouts.
Enable NTP synchronization on the hypervisor host and reboot the virtual machine.
Kerberos authentication will not issue tickets when the client and domain controller clocks differ by more than the Maximum tolerance for computer clock synchronization setting (five minutes by default). Because the Windows Time service is stopped, the server's clock has drifted by several hours, triggering the KRB_AP_ERR_SKEW failures that prevent domain logon. Restarting the Windows Time (w32time) service and forcing an immediate resync (for example, with w32tm /resync) realigns the server's clock with a domain controller, bringing the time skew back within policy and allowing Kerberos logons to succeed. Removing and re-joining the computer account, resetting user passwords, or adjusting host-level NTP will not correct the current time discrepancy quickly enough and are not required once time is synchronized.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the KRB_AP_ERR_SKEW error in Kerberos authentication?
Open an interactive chat with Bash
What does the Windows Time (w32time) service do?
Open an interactive chat with Bash
Why is time synchronization critical in Active Directory environments?