First of all, I know how to solve this problem. but I really wonder why this issue has came out ???
I saw just one post that the reason for this error may be the system time difference on both machines. If they differ too much (think 2 hours or more) authentication fails.
but im using ADServer at work and using the PC from Singapore and Korea. i think its not about system time. cause it usually works. do you know why this issue has came out? Plz detail answers. Thank you.
Computer accounts have passwords. Password changes are initiated by the client computer every 30 days (by default, of course you can change this in Group Policy). If, after the specified time is past, the client reaches out to the DC for a password change and for whatever reason (power outage, network connection is lost, etc.) it cannot make a change, then the trust relationship is lost. The computer you're using to logon to the domain can no longer communicate securely with the domain to which it is joined because the computer’s password is not set the same as what is stored by the DC due to some loss of communication. When you try to logon using a domain account, it will fail to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally.
Yes, you can come across this error if the system time on the machine is out of sync with the system time on the DC.
Typical fixes are to rejoin the computer to the domain or delete the computer AD object and recreate it, but there is another way. Powershell!
Reset-ComputerMachinePassword [-Credential <PSCredential>] [-Server <String>]
Of course run this with a user account able to change computer account passwords and the -Server parameter will need to be a DC.
