Active Directory Error: Clock Skew too Great or Time Difference at Domain Controller

Symptoms

  • Clients > Active Directory may say:

Clock skew too great (37) - Clock skew too great (37) - Identifier does not match expected value (906)

  • System > Settings > Active Directory, on attempting to join it may say

"Error joining domain: T2007.SLC.REVINETIX.COM Failed to join domain: Time difference at domain controller Correct the time differences and try again."

  • There may be other error messages, including CFA discovery problems. Please [contact](https://www.infrascale.com/support){:target='\_blank'} Infrascale Support for confirmation.

Diagnosis
The time difference between the domain controller and the CFA is too great.


To overcome this ensure that the Domain Controller and CFA clocks are running the same date and time to within one minute. This setting may be adjustable via AD settings, but the one-minute variable seems to be the default.

Prognosis

  • Identify a domain controller's IP_ADDRESS for the domain which the CFA is to be a member
  • Connect via SSH (See the "Creating a Support Tunnel" kb article for instructions on how to connect via ssh/putty.) Come back to these instructions after logging in using ssh and issue the following commands as root:
    • service ntpd stop
    • ntpdate IP_ADDRESS
    • IP_ADDRESS is, for example, 172.16.30.0
    • service ntpd start

System > Settings > Active Directory should either show it joined or allow joining at this point.


Active Director Error : "Error joining domain: XXX has no support for encryption type (14) - XXX has no support for encryption type (14) - Identifier does not match expected value (906)"

Symptom:

You see the following error when attempting to log into the Active Directory under System > Settings > Active Directory:

Resolution:

  • On the AD server, find the user that you are using to connect the CFA to AD.
  • Right Click the user > Select Properties > Select Account Tab > Check the box for "use Kerberos DES encryption for this account" > Select OK
  • Reset the password on that account (it is OK to reset it to the same thing it is already set to)