step one of setting up the mac mini properly: join it to the AD domain. simple, right?

Error: Node name wasn't found. (2000)

kerberos authentication requires clocks to be within 5 minutes of each other. our domain controllers were 52 minutes behind.

the chicken-and-egg problem

to fix the time, i need to remote into the domain controllers. to remote into the domain controllers, i need kerberos. kerberos won’t work because the time is wrong.

this is the kind of problem that makes you appreciate why NTP exists and why the PDC emulator role matters. the PDC emulator is supposed to sync to an external time source (pool.ntp.org, time.windows.com), and every other DC syncs from it. somewhere along the line, that chain broke, and the DCs have been drifting for… a while.

the workaround: direct console access through hyper-V manager (which uses a different auth path), or just physically being at the server. no amount of clever scripting gets around “kerberos says no.”

also discovered

while debugging this, i found that:

  • server “two” had RDP disabled, its network profile set to Public (should be Domain), and RDP firewall rules turned off. so it was technically online but unreachable by any normal means. fixed that via PSRemoting (which somehow still worked over SMB).
  • the mac’s bash is version 3.2 from 2007. apple won’t ship GPL v3. this broke a script that used ;& fallthrough in case statements.

lesson

homelabs are fractal. you go to do one thing (join a domain) and discover three other things are broken (NTP, RDP, network profiles). each of those has its own prerequisites. you can spend an entire evening just peeling layers.

i kind of love it though.