Lately I had some issues at home while trying to connect to Azure.
Tried other browser, restart the computer, nothing worked, the browser tried just refreshing the browser window several times(visible) after I provided the
credentials and then it simply said: “We cannot sign you in.” Unfortunately I failed to make a screenshot but you get the idea.
After two clicks in the search engine(no, I don’t know how LLM’s work – they say it’s AI, I think it’s a glorified google search) I found the issue which wouldn’t cross my mind in 2k years:
My time server(PDC emulator) wasn’t serving correct time because at setup I forgot to set that crappy NTP client to a time pool. Yeah, I know 😀
The funny fact was that because of the time skew, even my pfsense refused to route ICMP packets to a valid pool or ntp server from outside(makes sense).
Now given the fact that this is a pretty simple solution let’s get doing it.
TBH I never liked the w32tm way of doing this, nor the registry one …
Too many ways to screw things up for nothing. You miss a comma or so and …
Yes I know that GPO’s are just the GUI for registry settings. At least you have the explanations to the right of the setting and you don’t need to go search it online.
So let’s get this going.
First you need to check the time sync settings either in Eventlogs or with w32tm(I know what I’ve said about not liking it):
a. For the eventlog:
- – Eventvwr.msc – Applications and Services Logs – Microsoft – Windows -Time-Service – Operational
- – Filter for any Event 263.
- If (2) InputProvider is Local then it get’s it’s values from the CMOS.
- At (3) we can confirm that(2) NtpServer value is: (Undefined or not used)
- With w32tm it’s kind of the same
w32tm /query /configuration
b. Setup time sync for the PDC Emulator
- In GPMC open your current domain and go to Group Policy Objects.
- Create a New GPO in the GPO Objects container – Edit – Name it as you like
- Edit the newly created GPO
- Go to “Configure Windows NTP client”:
- Tick “Enabled”
- Set “NtpServer value to what you prefer, keep the 0x9 if you’re using a domain name or change it to 0x8 if using an IP Address
- Set Type to what your NTP accepts, I left it at AllSync because I’m lazy.
- Leave the rest of the settings as default or change them to your preference.
- Now we need to “Enable Windows NTP CLient”
** If needed, enable “Enable Windows NTP Server”. Keep in mind that all domain clients automatically sync to the PDC Emulator so you might not need this setting.
c. Edit the security filtering:
- – Remove “Authenticated users”
- – Add the PDC emulator here
d. Link the GPO to the Domain Controllers container for it to cover the scope
1 – Link an existing GPO
e. Now we updata the GPO:
gpupdate /force
f. Either restart/resync Windows Time service
*Be sure to open an elevated Powershell prompt
Restart-Service W32Time
or do a
w32tm /resync
g. Check the Windows Event Viewer as at point (a) in this tutorial either by Event viewer
If everything went fine you should have similar results as in the screenshots above.
** If things didn’t went well reboot the DC and retry point (f)
#windowsserver #ntp #