Re: Time Zone change and Kerberos Auth

Thanks for your response. My question had to do with the fact that the client PC's would not have the hotfix. All the servers have the hotfix applied and none of them would ever have it uninstalled.

Raoul

Willy Fontana wrote:
Raoul and all:

You´re right regarding the problems you could face if there is a difference
greater than 10 minutes between any pair of domain controllers. It has to do
more with synchronization than authentication. Nevertheless, you can
manually set the time on a domain controller and eventually reapply the
hotfix if that is an option.

The time service in Windows domains acts as a tree where the root is either
the first domain controller installed for a given domain or the one holding
the PDC emulator role in that domain. Every other server and workstation
synchronize their clocks (by default) based on the mentioned DC.

You can, however, alter the default behavior of this service altering the
time server referred to by Windows. You can accomplish this using the net
time commands. Open a command prompt and type net time /? To obtain help
about this command.

I hope this is what you´re looking for.

Sincerely,

Willy Fontana


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Raoul Armfield
Sent: Thursday, February 08, 2007 1:07 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: 'Sally Holt'; ckehayov@xxxxxxxx
Subject: Time Zone change and Kerberos Auth

We have a situation where we need to install a piece of software that requires us to uninstall the ms hotfix KB928388. This of course is the hotfix that addresses the upcoming changes in DST here in the US. Until mid march this will not pose a problem. However, seeing how Authentication in AD/Kerberos is tied very closely with time synchronizations. We were wondering if there would be a problem with removing the hotfix and manually setting the clocks on the few machines that are affected.

My thoughts are that even if we reset the time once they synchronize the time with the domain controllers they will go back to the hour off and authentications will fail. Am I wrong in thinking this.

Raoul


Relevant Pages

  • Logon delays - due to large registry.pol files in some group polic
    ... About 6 months ago we removed domain controllers from around 50 small sites ... Use of the sysprosoft policy reporter freebie has narrowed this down to the ... Apparently the problem is fixed in Windows 2003 SP2. ... and no hotfix for Windows 2000. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1?
    ... I downloaded the hotfix 889054 and ran it on one of our domain controllers. ... > newsgroup, as there is more qualified pool of respondents who can give you ... > Microsoft Online Partner Support ...
    (microsoft.public.windows.server.active_directory)
  • RE: Time Zone change and Kerberos Auth
    ... greater than 10 minutes between any pair of domain controllers. ... Behalf Of Raoul Armfield ... requires us to uninstall the ms hotfix KB928388. ... My thoughts are that even if we reset the time once they synchronize the ...
    (Focus-Microsoft)
  • Re: Event ID: 1083 NTDS Replication warnings on domain controllers
    ... EvLog - Free Windows event log monitoring ... > domain controllers. ... I have already applied the hotfix from Tech Net ...
    (microsoft.public.windows.server.general)
  • Re: Question regarding hotfix 905214
    ... Homework for another server job coming up. ... hotfix and SenderID filtering appears to be working fine. ... then 914103 is needed by Exchange for SenderID. ...
    (microsoft.public.windows.server.sbs)
Loading