Time diff prevent authentication?

  • Thread starter Thread starter NewsGrp
  • Start date Start date
N

NewsGrp

Guest
I have 1 OU where the time was off by about 5 minutes after a change in ntp
for domain which didnt take effect for that OU. Would that prevent
authentication- were trying to see what caused a network authentication
error and thinking the time being different from the rest of the domain
might have caused it. Any references?

Thanks

Carlo
 
Re: Time diff prevent authentication?


"NewsGrp" <carl@anywhere.com> wrote in message
news:OVPhikp9IHA.5700@TK2MSFTNGP02.phx.gbl...
>I have 1 OU where the time was off by about 5 minutes after a change in ntp
>for domain which didnt take effect for that OU. Would that prevent
>authentication- were trying to see what caused a network authentication
>error and thinking the time being different from the rest of the domain
>might have caused it. Any references?
>
> Thanks
>
> Carlo
>
>

Time differences is not based on OU but the actual time on the client vs the
server or other machine it's trying to communicate/authenticate against.
Kerberos has a 5 minute time skew tolerance with time zones being
irrelevant. If more than 5 minutes, we've got a problem.

The DC holding the PDC Emulator Role is the time server by default. All
machines in an AD infrastructure will query the PDC emulator for time sync.
If communications are blocked, such as a firewall, or there are AD
communication issues and errors, or the time registry settings were changed
incorrectly, time will not stay synched.

You configure the PDC emulator to sync with an outside source. To do so, in
a command prompt:
net stop w32time
net time /setsntp:192.5.41.41
net start w32time

That IP is one of the US Navy time sources. You can configure your server
for another time server based on your location if you desire.

Are you seeing any errors in any of the Event viewer logs on the server
and/or client?

--
--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations
 
Re: Time diff prevent authentication?

Hello NewsGrp,

Time settings are not based on the OU. In a domain the DC with the PDCEmulator
role is the time source, all other DC's sync with it and all other domain
members sync with one available DC. For configuration of the PDCEmulator
see this one.

PDCEmulator:

w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

With "peers" you can set the time source, either DNS name (time.windows.com)
or an ip address from a reliable time source.

Here you can find some of them:
http://www.pool.ntp.org/

Client configuration:
To configure a client computer for automatic domain time synchronization

w32tm /config /syncfromflags:domhier /update

After that run:

net stop w32time

net start w32time

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have 1 OU where the time was off by about 5 minutes after a change
> in ntp for domain which didnt take effect for that OU. Would that
> prevent authentication- were trying to see what caused a network
> authentication error and thinking the time being different from the
> rest of the domain might have caused it. Any references?
>
> Thanks
>
> Carlo
>
 
Re: Time diff prevent authentication?


<Meinolf Weber> wrote in message
news:ff16fb66a58ca8cac4ee94cafe7b@msnews.microsoft.com...
> Hello NewsGrp,
>
> Time settings are not based on the OU. In a domain the DC with the
> PDCEmulator role is the time source, all other DC's sync with it and all
> other domain members sync with one available DC. For configuration of the
> PDCEmulator see this one.
>
> PDCEmulator:
>
> w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes
> /update
>
> With "peers" you can set the time source, either DNS name
> (time.windows.com) or an ip address from a reliable time source.
>
> Here you can find some of them:
> http://www.pool.ntp.org/
>
> Client configuration:
> To configure a client computer for automatic domain time synchronization
>
> w32tm /config /syncfromflags:domhier /update
>
> After that run:
>
> net stop w32time
>
> net start w32time
>
> Best regards
>
> Meinolf Weber


Actually I would like to point out, one wouldn't need to configure the
clients. Clients and member servers and the other DC roles (2000, 2003, XP &
Vista) out of the box and joined to a domain, by default is set to use the
domain hierarchy for time sync. They will automatically look for the PDC
Emulator for it's time source, so there's nothing really needed to be
changed on a client. I do remember XP SP1 had a problem looking outside of
it's site if a DC was not available for time sync, but that was fixed with
SP2. A workaround was to set it with a GPO or reg entries, as you've
provided.

You can of course, if one needs to change it to a different source, you can
change it, such as to an internet time server, a different Windows server
setup as the time source for the infrastructure, or an internal non-windows
machine as the time source, which can be set by GPO or reg entries.

http://www.analogduck.com/main/wintime
http://nsit.uchicago.edu/docs/ucad/sysadmins/time/index.shtml
http://blogs.inetium.com/blogs/jdevries/archive/2006/04/29/87.aspx


Ace
 
Re: Time diff prevent authentication?

The problem we had was one OU had the ntp turned off and certain servers
were turned off locally for a previous programmer who was constantly setting
the clock back to run a demo version of software. One of the reasons he is
no longer with us...

Carlo


"Ace Fekay [MVP Directory Services]" <firstnamelastname@hotmail.com> wrote
in message news:Otw9G139IHA.5316@TK2MSFTNGP02.phx.gbl...
>
> <Meinolf Weber> wrote in message
> news:ff16fb66a58ca8cac4ee94cafe7b@msnews.microsoft.com...
>> Hello NewsGrp,
>>
>> Time settings are not based on the OU. In a domain the DC with the
>> PDCEmulator role is the time source, all other DC's sync with it and all
>> other domain members sync with one available DC. For configuration of the
>> PDCEmulator see this one.
>>
>> PDCEmulator:
>>
>> w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes
>> /update
>>
>> With "peers" you can set the time source, either DNS name
>> (time.windows.com) or an ip address from a reliable time source.
>>
>> Here you can find some of them:
>> http://www.pool.ntp.org/
>>
>> Client configuration:
>> To configure a client computer for automatic domain time synchronization
>>
>> w32tm /config /syncfromflags:domhier /update
>>
>> After that run:
>>
>> net stop w32time
>>
>> net start w32time
>>
>> Best regards
>>
>> Meinolf Weber
>
>
> Actually I would like to point out, one wouldn't need to configure the
> clients. Clients and member servers and the other DC roles (2000, 2003, XP
> & Vista) out of the box and joined to a domain, by default is set to use
> the domain hierarchy for time sync. They will automatically look for the
> PDC Emulator for it's time source, so there's nothing really needed to be
> changed on a client. I do remember XP SP1 had a problem looking outside of
> it's site if a DC was not available for time sync, but that was fixed with
> SP2. A workaround was to set it with a GPO or reg entries, as you've
> provided.
>
> You can of course, if one needs to change it to a different source, you
> can change it, such as to an internet time server, a different Windows
> server setup as the time source for the infrastructure, or an internal
> non-windows machine as the time source, which can be set by GPO or reg
> entries.
>
> http://www.analogduck.com/main/wintime
> http://nsit.uchicago.edu/docs/ucad/sysadmins/time/index.shtml
> http://blogs.inetium.com/blogs/jdevries/archive/2006/04/29/87.aspx
>
>
> Ace
>
>
>
 
Re: Time diff prevent authentication?


"MSNews" <carl@anywhere.com> wrote in message
news:uMzChED%23IHA.544@TK2MSFTNGP03.phx.gbl...
> The problem we had was one OU had the ntp turned off and certain servers
> were turned off locally for a previous programmer who was constantly
> setting the clock back to run a demo version of software. One of the
> reasons he is no longer with us...
>
> Carlo

Too many fingers in the pot. And why would a programmer have DOmain Admin
rights?

Ace
 
Back
Top