Thanks for your response. My question had to do with the fact that the
client PC's would not have the hotfix. All the servers have the hotfix
applied and none of them would ever have it uninstalled.
Raoul
Willy Fontana wrote:
Raoul and all:
You´re right regarding the problems you could face if there is a difference
greater than 10 minutes between any pair of domain controllers. It has to do
more with synchronization than authentication. Nevertheless, you can
manually set the time on a domain controller and eventually reapply the
hotfix if that is an option.
The time service in Windows domains acts as a tree where the root is either
the first domain controller installed for a given domain or the one holding
the PDC emulator role in that domain. Every other server and workstation
synchronize their clocks (by default) based on the mentioned DC.
You can, however, alter the default behavior of this service altering the
time server referred to by Windows. You can accomplish this using the net
time commands. Open a command prompt and type net time /? To obtain help
about this command.
I hope this is what you´re looking for.
Sincerely,
Willy Fontana
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Raoul Armfield
Sent: Thursday, February 08, 2007 1:07 AM
To: [email protected]
Cc: 'Sally Holt'; [EMAIL PROTECTED]
Subject: Time Zone change and Kerberos Auth
We have a situation where we need to install a piece of software that
requires us to uninstall the ms hotfix KB928388. This of course is the
hotfix that addresses the upcoming changes in DST here in the US. Until
mid march this will not pose a problem. However, seeing how
Authentication in AD/Kerberos is tied very closely with time
synchronizations. We were wondering if there would be a problem with
removing the hotfix and manually setting the clocks on the few machines
that are affected.
My thoughts are that even if we reset the time once they synchronize the
time with the domain controllers they will go back to the hour off and
authentications will fail. Am I wrong in thinking this.
Raoul
