Windows Active Directory Authentication

Microsoft Active Directory authentication is one of the most well known features in any domain that makes use of Windows Server (NT) technology. It was the key component to show up and be introduced into the world of enterprises who wanted to have a computerized system and have it secure from external access without the proper authorization or authentication enforced methods.

Using Windows Active Directory authentication is easy enough, however, and unfortunately, like many other things it's bound to bump into occasional issues. Some of these problems usually arise when there is a moment of disconnection from the server or the client machines are tampered with in ways that they shouldn't be.

First thing to worry in case of failure of the integrated Windows authentication Active Directory system is to verify if the main Domain Controller and the brother controllers are all synchronized. It's a common problem to have the servers fail to establish communication when they detect that their Active Directory contents don't match which usually means someone had been fiddling with one of the machines. This alone may generate corruption and the data be rendered useless, but in case the system is brought back up successfully then Active Directory will detect the tampering.

When this happens it's necessary to manually re-synchronize both machine's Active Directory contents. Microsoft provides a extremely functional tool for this end, the ADMT, which is used to perform Active Directory migration but works perfectly well to re-enable the proper functioning of the Active Directory system. In no case should you ever attempt to format the crippled domain supporting machine because in that case the main Domain Controller will believe the supporter is still there and you will not be able to remove it.

Another very common issue with Windows authentication with Active Directory is when clients are not setup with a proper NTP server and their clock is allowed to run wrongly. Authentication with the Domain Controller in certain cases will simply fail due to the lack of synchronization. It's a protection measure inserted to prevent that a machine that was run outside of the Domain joins it too easily just because of a simple username access.

Either you should disable the date/hour synchronization requirement from the Domain Controller or you should have all the machines, server included, to run in compliance with an NTP so that this error does not show up. The protection of this system only kicks in when you are purposely using the wrong time on your server machine regardless which is typically a bad policy when it comes to productivity.