Windows Server - Time diff prevent authentication?
Asked By NewsGrp
04-Aug-08 09:17 PM
I have 1 OU where the time was off by about 5 minutes after a change in ntp
for domain which didnt take effect for that OU. Would that prevent
authentication- were trying to see what caused a network authentication
error and thinking the time being different from the rest of the domain
might have caused it. Any references?
Thanks
Carlo
Vista
(1)
XP
(1)
PDCEmulator
(1)
Diversities
(1)
Directory
(1)
Emulator
(1)
Kerberos
(1)
Trainer
(1)
Ace Fekay [MVP Directory Services] replied...
Time differences is not based on OU but the actual time on the client vs the
server or other machine it's trying to communicate/authenticate against.
Kerberos has a 5 minute time skew tolerance with time zones being
irrelevant. If more than 5 minutes, we've got a problem.
The DC holding the PDC Emulator Role is the time server by default. All
machines in an AD infrastructure will query the PDC emulator for time sync.
If communications are blocked, such as a firewall, or there are AD
communication issues and errors, or the time registry settings were changed
incorrectly, time will not stay synched.
You configure the PDC emulator to sync with an outside source. To do so, in
a command prompt:
net stop w32time
net time /setsntp:192.5.41.41
net start w32time
That IP is one of the US Navy time sources. You can configure your server
for another time server based on your location if you desire.
Are you seeing any errors in any of the Event viewer logs on the server
and/or client?
--
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations
Meinolf Weber replied...
Hello NewsGrp,
Time settings are not based on the OU. In a domain the DC with the PDCEmulator
role is the time source, all other DC's sync with it and all other domain
members sync with one available DC. For configuration of the PDCEmulator
see this one.
PDCEmulator:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
With "peers" you can set the time source, either DNS name (time.windows.com)
or an ip address from a reliable time source.
Here you can find some of them:
http://www.pool.ntp.org/
Client configuration:
To configure a client computer for automatic domain time synchronization
w32tm /config /syncfromflags:domhier /update
After that run:
net stop w32time
net start w32time
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Ace Fekay [MVP Directory Services] replied...
Actually I would like to point out, one wouldn't need to configure the
clients. Clients and member servers and the other DC roles (2000, 2003, XP &
Vista) out of the box and joined to a domain, by default is set to use the
domain hierarchy for time sync. They will automatically look for the PDC
Emulator for it's time source, so there's nothing really needed to be
changed on a client. I do remember XP SP1 had a problem looking outside of
it's site if a DC was not available for time sync, but that was fixed with
SP2. A workaround was to set it with a GPO or reg entries, as you've
provided.
You can of course, if one needs to change it to a different source, you can
change it, such as to an internet time server, a different Windows server
setup as the time source for the infrastructure, or an internal non-windows
machine as the time source, which can be set by GPO or reg entries.
http://www.analogduck.com/main/wintime
http://nsit.uchicago.edu/docs/ucad/sysadmins/time/index.shtml
http://blogs.inetium.com/blogs/jdevries/archive/2006/04/29/87.aspx
Ace
MSNews replied...
The problem we had was one OU had the ntp turned off and certain servers
were turned off locally for a previous programmer who was constantly setting
the clock back to run a demo version of software. One of the reasons he is
no longer with us...
Carlo
Ace Fekay [MVP Directory Services] replied...
Too many fingers in the pot. And why would a programmer have DOmain Admin
rights?
Ace
Event id 2042 / 2041 (Directory service) + 12292 / 11 (VSS) Windows Server Hi, I am getting lots of event logs in all 3 domain controllers recently. First of all in Directory service, I am getting these event id 2042 & 2041 as below: { Event Type: Error Event I really appreciate any reply. Thanks in advance. With best regards, Hemal Windows Server Active Directory Discussions HPSERVER.kbgca.local (1) Volume Shadow Copy Service (1) Active Directory (1) Windows Server (1) RIDNextRID (1) RIDPreviousAllocationPool (1) CheckSDRefDom (1) Dellserver.kbgca.local (1) Hi 4c11bf6117e5 Last attempt @ 2008-10-15 18:08:02 failed, result 8614 (0x21a6): The Active Directory cannot replicate with this server because the t ime since the last replication with this 34be3d92f968 Last attempt @ 2008-10-15 18:15:42 failed, result 8614 (0x21a6): The Active Directory cannot replicate with this server because the t ime since the last replication with this 81ff0a346f81 Last attempt @ 2008-10-15 18:24:02 failed, result 8614 (0x21a6): The Active Directory cannot replicate with this server because the t ime since the last replication with this 4c11bf6117e5 Last attempt @ 2008-10-15 17:56:25 failed, result 8614 (0x21a6): The Active Directory cannot replicate with this server because the t ime since the last replication with this
not change it, cause I love it so far. Now someone tell me, WTF did Vista ever come out? - - AF Windows Server SBS Discussions Windows Server 2008 (1) Office 2007 (1) Windows 7 (1) Vista (1) Word (1) XP (1) IMAC (1) ConnectComputer (1) I have to admit surprise that you rave about windows 7 and hammer vista in the same paragraph. Vista had problems, sure, but the kernel in Win7 beta is the same kernel that is in Vista SP1 / Win2k8. The major app compat issues / driver issues that still exist on Vista will still exist on win7 if vendors don't fix them (tested this with a I'm saying is that if you like Win7, you might really want to give Vista another chance in your production environment. Post SP1 has made me a believer. -Cliff On
Critical Security Bulletin (1) = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Windows Bulletin - Affected Software: - Microsoft Windows 2000 Service Pack 4 - Windows XP Service Pack 2 and Windows XP Service Pack 3 - Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Windows Server 2003 Service Pack 1 and Windows Server for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems - Windows Vista and Windows Vista Service Pack 1 - Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 - Windows Server 2008 for 32-bit Systems (Windows Server 2008
Offline Files Not Available in Vista Windows Server Well it had to happen, I have an SBS Network with Vista Clients. Server is SBS 2003 Premium. Clients are Vista Business. Documents Folder has been redirected to the Server. Problem. Documents are not available Offline on the Vista Clients. The Documents Folder Properties on the client has Available Offline Checked and it is to articles about this. Something else is causing this and it has to do with Vista. I've never had a problem with XP Clients. Thanks in advance for help. Windows Server SBS Discussions Windows Vista (1) Vista (1) XP (1) FormatDatabase (1) BSc (1) Schmeichel (1) Zoeller (1) Yeomans (1) If the
is a vista dns server secure Windows Server Hi, I'm trying to figure out why a network connection to a Vista DNS server fails. When I Google, I discover that NT DNS had an exploit. Is it known that the Vista DNS server is secure? All my updates are up to date. Thanks. Windows Server DNS Discussions Windows XP (1) Windows Update (1) Windows Server (1) Windows 7 (1) Outlook (1) Linux (1) Vista (1) IIS (1) There is no such thing as a Vista server. What OS is your DNS server running on? Thanks for correcting me. DNS cache client service runs on all Windows systems, since when? I have two Vista Ultimate systems. I've extracted the following from the management consol for the DNS client the failure of my network connection had no bearing on my attempt to access my Vista DNS client service from the other side of my firewall. If I have feather problems