• In the vCenter UI, the vCenter appliance shows as disconnected from the Active Directory (AD) domain. This disconnection occurs following every reboot of vCenter, despite successful manual joins to the domain via the vCenter GUI.
  
  
• During the vCenter boot sequence, while the applmgmt service is active but other services are still initializing, the VAMI may briefly display an incorrect time. This discrepancy typically lasts a minute or two until the appliance fully synchronizes with its configured NTP sources.
  
  
• vCenter Virtual Machine Configuration shows that it is set to synchronize its time with the host.
  
  • Right-click vCenter Virtual Machine > Edit Settings > VM Options tab > VMware Tools > Time > Synchronize time with host.
    
    
• In vSphere Client, Select Host > Configure tab > System > Time Configuration.
  

  Status shows : "Stopped"
  NTP Servers: "None"

VMware vCenter Server 8.x

• It is due to a time skew between the vCenter and Active Directory.
  
  
• vCenter is configured via VMware Tools to sync its hardware clock with the underlying ESXi host upon reboot but, the ESXi host has its Network Time Protocol (NTP) service disabled or misconfigured, it propagates an inaccurate time to the vCenter appliance.
  
  
• Active Directory authentication requires strict time synchronization to maintain a secure connection, the vCenter inherits an inaccurate time from the ESXi host during the startup process. This sudden time drift exceeds the strict Kerberos maximum tolerance threshold (typically 5 minutes) required by AD to prevent replay attacks, immediately fracturing the domain trust and invalidating secure connections.

Configure the NTP service on the underlying host to bring it into compliance with network time standards:

1. In the vSphere client, select the ESXi Host.
   
   
2. Navigate to Configure > System > Time Configuration and click Edit.
   
   
3. Select Use Network Time Protocol (Enable NTP client).
   
   
4. Set the Startup Policy to Start and stop with host.
   
   
5. In the NTP Servers field, enter the [IP/FQDN] of your time server.
   
   
6. Under Service Status, click Start, and then click OK to save your changes.

• A final test reboot is recommended to confirm these changes successfully allow the vCenter to maintain its AD connection permanently.
  
  
• Despite NTP configuration, vCenter initially pulls time from the host during startup due to Virtual Machine level sync settings. Although the ntpd service corrects the clock shortly after boot, the transient time drift is long enough to break the Active Directory authentication token.