解决域里的Windows和域控制器时间不同步问题

今天刚开了个新的AD,兴高采烈地把设备都加了域,结果WinRM不工作。报错如下:

PS C:\Windows\system32> enter-pssession server02
enter-pssession : Connecting to remote server server02 failed with the following error message : WinRM cannot process
the request. The following error with errorcode 0x80090324 occurred while using Kerberos authentication: There is a
time and/or date difference between the client and server.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ enter-pssession server02
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (server02:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

对于一个新的域,这种情况大概率是两台设备的时钟不同步了。

检查域控和其它设备时钟是否同步

检查每台设备的时间是否相同。尤其要注意时区——Windows Server的默认时区设置是西8区。加域以后时钟只能在传统的控制面板里面修改,新版设置里面是改不了的。

检查硬件时钟问题

有可能有些设备的硬件时钟是UTC,有些设备的硬件时钟则是本地时间。常见的情况例如:

  • macOS和Linux都默认使用UTC硬件时钟,那么在多系统启动的设备上就会出现问题
  • qemu会默认给虚拟机传UTC硬件时钟,在qemu上启动的设备在每次重启后可能会出现问题

一般来说推荐让大家都用UTC时钟。Windows设置很简单:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
"RealTimeIsUniversal"=dword:00000001

然后重启即可。

强制同步客户端

在默认情况下,如果NTP服务器的时间和本地时间相差超过一定值,Windows时间服务是不会自动调整时钟的。我们首先要关闭这一限制:在注册表里面写入:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"MaxPosPhaseCorrection"=dword:ffffffff

然后暴力重置一下Windows时间服务:

net stop w32time
w32tm /unregister
!需要等一会儿
w32tm /register
net start w32time

w32tm /resync
w32tm /query /status

应该就会成功了。如果还不成功,先手工调整一下大概的时间然后再试一次。


参考:

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据