To resolve this issue, identify the time skew between this Domain Controller and VCSA.
To check and set the date on the VCSA:
- SSH to the VCSA with root credentials.
- Execute the command date and compare the time value to the Domain Controller.
- If the time needs to be changed to be in sync, execute this command:
date -s "HH:MM:SS" ; date
- Verify the results with the Domain Controller current time.
- Attempt to re-add the users.
It is possible that the Domain Controller may be part of a trusted domain and out of sync with its Primary Domain Controller (PDC). If this is the case, the Domain Controller time skew must be resolved.
Note: This is something that should be resolved with Microsoft support. Once this is done you should be able to add domain users correctly without issues.
To identify the time skew error:
- SSH to the VCSA with root credentials.
- Execute this command:
tcpdump > /tmp/tcpdump.txt
- SCP the tcpdump.txt file to a local workstation and import into Wireshark for analysis.
- Alternatively, grep the tcpdump.txt file for the time skew error:
example: grep -i KRB5KRB_AP_ERR_SKEW /tmp/tcpdump.txt