Failure Scenario

Kerberos breaks after time drift correction even though replication appears healthy.

This is the classic “we fixed the time, but auth is still broken” incident. The root issue is usually not replication alone, but a delayed convergence across ticket state, source selection, trust flow, or continued time hierarchy misalignment.

Search Identity FailuresOpen AD Domain
Situation

Time correction solves one dependency, not the whole auth chain.

Kerberos depends on more than current wall-clock alignment. Ticket issuance, cached credentials, DC selection, trust path, and ongoing W32Time source behavior all affect whether authentication actually stabilizes after a skew event.

What To Verify

Confirm that the time problem is truly over.

  • Validate current source, status, and offset with `w32tm /query /status /verbose`.
  • Confirm the affected hosts have rejoined the expected domain time hierarchy or approved manual peers.
  • Check whether authentication attempts still target a lagging or unhealthy domain controller.
  • Verify cached tickets, service tickets, and service account dependencies in the failing path.
  • Look for trust or secure-channel issues that the original drift exposed rather than created.
Working Sequence

Rebuild trust from time source outward.

  • Stabilize time source and offset first on the PDC path and the affected members.
  • Recheck KDC selection and whether clients still talk to stale or remote DCs.
  • Retest authentication using the same user, service, and host path that originally failed.
  • If auth still fails, move from time troubleshooting into ticket, trust, and DC-health analysis.
  • Document whether time drift was root cause or only the first visible symptom.