Raoul The reason Windows clients/servers/domain controllers on the domain are synced to the domain (the DC holding the PDCEmulator role to be precise) is to maintain kerberos - the theory being that a large time difference could indicate an attempt at a man-in-the-middle attack.
Kerberos will tolerate (by default) a time "drift" of up to 5 minutes and still operate. This setting is set in the Default Domain Policy on every new installation of Active Directory. As it's a GPO, the drift tolerance can be altered - but it's not adviseable. If you do alter it, you must do so for the entire domain. Obviously, time sync can be selectively stopped (just stop the Windows Time Service), and clocks can be set manually. However, once you drift beyond 5 minutes, the machine will start to behave as if it was no longer a member of the domain. If you maintain the clocks by hand to with 5 minutes, all will remain fine. If you want the time to be reported differently to the application, but still synced to the domain, you could try altering the timezone on the offending machines to a location one hour ahead or behind your timezone and see if that helps. Cheers James James D. Stallard, MIoD Microsoft and Networks Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raoul Armfield Sent: 08 February 2007 17:39 To: Willy Fontana Cc: [email protected] Subject: Re: Time Zone change and Kerberos Auth Thanks for your response. My question had to do with the fact that the client PC's would not have the hotfix. All the servers have the hotfix applied and none of them would ever have it uninstalled. Raoul Willy Fontana wrote: > Raoul and all: > > You´re right regarding the problems you could face if there is a > difference greater than 10 minutes between any pair of domain > controllers. It has to do more with synchronization than > authentication. Nevertheless, you can manually set the time on a > domain controller and eventually reapply the hotfix if that is an option. > > The time service in Windows domains acts as a tree where the root is > either the first domain controller installed for a given domain or the > one holding the PDC emulator role in that domain. Every other server > and workstation synchronize their clocks (by default) based on the mentioned DC. > > You can, however, alter the default behavior of this service altering > the time server referred to by Windows. You can accomplish this using > the net time commands. Open a command prompt and type net time /? To > obtain help about this command. > > I hope this is what you´re looking for. > > Sincerely, > > Willy Fontana > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raoul Armfield > Sent: Thursday, February 08, 2007 1:07 AM > To: [email protected] > Cc: 'Sally Holt'; [EMAIL PROTECTED] > Subject: Time Zone change and Kerberos Auth > > We have a situation where we need to install a piece of software that > requires us to uninstall the ms hotfix KB928388. This of course is > the hotfix that addresses the upcoming changes in DST here in the US. > Until mid march this will not pose a problem. However, seeing how > Authentication in AD/Kerberos is tied very closely with time > synchronizations. We were wondering if there would be a problem with > removing the hotfix and manually setting the clocks on the few > machines that are affected. > > My thoughts are that even if we reset the time once they synchronize > the time with the domain controllers they will go back to the hour off > and authentications will fail. Am I wrong in thinking this. > > Raoul >
