Time diff prevent authentication?

[Guest NewsGrp]

I have 1 OU where the time was off by about 5 minutes after a change in ntp

for domain which didnt take effect for that OU. Would that prevent

authentication- were trying to see what caused a network authentication

error and thinking the time being different from the rest of the domain

might have caused it. Any references?

 

Thanks

 

Carlo

[Guest Ace Fekay [MVP Directory Services]]

Re: Time diff prevent authentication?

 

 

"NewsGrp" <carl@anywhere.com> wrote in message

news:OVPhikp9IHA.5700@TK2MSFTNGP02.phx.gbl...

>I have 1 OU where the time was off by about 5 minutes after a change in ntp

>for domain which didnt take effect for that OU. Would that prevent

>authentication- were trying to see what caused a network authentication

>error and thinking the time being different from the rest of the domain

>might have caused it. Any references?

>

> Thanks

>

> Carlo

>

>

 

Time differences is not based on OU but the actual time on the client vs the

server or other machine it's trying to communicate/authenticate against.

Kerberos has a 5 minute time skew tolerance with time zones being

irrelevant. If more than 5 minutes, we've got a problem.

 

The DC holding the PDC Emulator Role is the time server by default. All

machines in an AD infrastructure will query the PDC emulator for time sync.

If communications are blocked, such as a firewall, or there are AD

communication issues and errors, or the time registry settings were changed

incorrectly, time will not stay synched.

 

You configure the PDC emulator to sync with an outside source. To do so, in

a command prompt:

net stop w32time

net time /setsntp:192.5.41.41

net start w32time

 

That IP is one of the US Navy time sources. You can configure your server

for another time server based on your location if you desire.

 

Are you seeing any errors in any of the Event viewer logs on the server

and/or client?

 

--

--

Regards,

Ace

 

This posting is provided "AS-IS" with no warranties or guarantees and

confers no rights.

 

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

MVP Microsoft MVP - Directory Services

Microsoft Certified Trainer

 

For urgent issues, you may want to contact Microsoft PSS directly. Please

check http://support.microsoft.com for regional support phone numbers.

 

Infinite Diversities in Infinite Combinations

[Guest Meinolf Weber]

Re: Time diff prevent authentication?

 

Hello NewsGrp,

 

Time settings are not based on the OU. In a domain the DC with the PDCEmulator

role is the time source, all other DC's sync with it and all other domain

members sync with one available DC. For configuration of the PDCEmulator

see this one.

 

PDCEmulator:

 

w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

 

With "peers" you can set the time source, either DNS name (time.windows.com)

or an ip address from a reliable time source.

 

Here you can find some of them:

http://www.pool.ntp.org/

 

Client configuration:

To configure a client computer for automatic domain time synchronization

 

w32tm /config /syncfromflags:domhier /update

 

After that run:

 

net stop w32time

 

net start w32time

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have 1 OU where the time was off by about 5 minutes after a change

> in ntp for domain which didnt take effect for that OU. Would that

> prevent authentication- were trying to see what caused a network

> authentication error and thinking the time being different from the

> rest of the domain might have caused it. Any references?

>

> Thanks

>

> Carlo

>

[Guest Ace Fekay [MVP Directory Services]]

Re: Time diff prevent authentication?

 

 

<Meinolf Weber> wrote in message

news:ff16fb66a58ca8cac4ee94cafe7b@msnews.microsoft.com...

> Hello NewsGrp,

>

> Time settings are not based on the OU. In a domain the DC with the

> PDCEmulator role is the time source, all other DC's sync with it and all

> other domain members sync with one available DC. For configuration of the

> PDCEmulator see this one.

>

> PDCEmulator:

>

> w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes

> /update

>

> With "peers" you can set the time source, either DNS name

> (time.windows.com) or an ip address from a reliable time source.

>

> Here you can find some of them:

> http://www.pool.ntp.org/

>

> Client configuration:

> To configure a client computer for automatic domain time synchronization

>

> w32tm /config /syncfromflags:domhier /update

>

> After that run:

>

> net stop w32time

>

> net start w32time

>

> Best regards

>

> Meinolf Weber

 

 

Actually I would like to point out, one wouldn't need to configure the

clients. Clients and member servers and the other DC roles (2000, 2003, XP &

Vista) out of the box and joined to a domain, by default is set to use the

domain hierarchy for time sync. They will automatically look for the PDC

Emulator for it's time source, so there's nothing really needed to be

changed on a client. I do remember XP SP1 had a problem looking outside of

it's site if a DC was not available for time sync, but that was fixed with

SP2. A workaround was to set it with a GPO or reg entries, as you've

provided.

 

You can of course, if one needs to change it to a different source, you can

change it, such as to an internet time server, a different Windows server

setup as the time source for the infrastructure, or an internal non-windows

machine as the time source, which can be set by GPO or reg entries.

 

http://www.analogduck.com/main/wintime

http://nsit.uchicago.edu/docs/ucad/sysadmins/time/index.shtml

http://blogs.inetium.com/blogs/jdevries/archive/2006/04/29/87.aspx

 

 

Ace

[Guest MSNews]

Re: Time diff prevent authentication?

 

The problem we had was one OU had the ntp turned off and certain servers

were turned off locally for a previous programmer who was constantly setting

the clock back to run a demo version of software. One of the reasons he is

no longer with us...

 

Carlo

 

 

"Ace Fekay [MVP Directory Services]" <firstnamelastname@hotmail.com> wrote

in message news:Otw9G139IHA.5316@TK2MSFTNGP02.phx.gbl...

>

> <Meinolf Weber> wrote in message

> news:ff16fb66a58ca8cac4ee94cafe7b@msnews.microsoft.com...

>> Hello NewsGrp,

>>

>> Time settings are not based on the OU. In a domain the DC with the

>> PDCEmulator role is the time source, all other DC's sync with it and all

>> other domain members sync with one available DC. For configuration of the

>> PDCEmulator see this one.

>>

>> PDCEmulator:

>>

>> w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes

>> /update

>>

>> With "peers" you can set the time source, either DNS name

>> (time.windows.com) or an ip address from a reliable time source.

>>

>> Here you can find some of them:

>> http://www.pool.ntp.org/

>>

>> Client configuration:

>> To configure a client computer for automatic domain time synchronization

>>

>> w32tm /config /syncfromflags:domhier /update

>>

>> After that run:

>>

>> net stop w32time

>>

>> net start w32time

>>

>> Best regards

>>

>> Meinolf Weber

>

>

> Actually I would like to point out, one wouldn't need to configure the

> clients. Clients and member servers and the other DC roles (2000, 2003, XP

> & Vista) out of the box and joined to a domain, by default is set to use

> the domain hierarchy for time sync. They will automatically look for the

> PDC Emulator for it's time source, so there's nothing really needed to be

> changed on a client. I do remember XP SP1 had a problem looking outside of

> it's site if a DC was not available for time sync, but that was fixed with

> SP2. A workaround was to set it with a GPO or reg entries, as you've

> provided.

>

> You can of course, if one needs to change it to a different source, you

> can change it, such as to an internet time server, a different Windows

> server setup as the time source for the infrastructure, or an internal

> non-windows machine as the time source, which can be set by GPO or reg

> entries.

>

> http://www.analogduck.com/main/wintime

> http://nsit.uchicago.edu/docs/ucad/sysadmins/time/index.shtml

> http://blogs.inetium.com/blogs/jdevries/archive/2006/04/29/87.aspx

>

>

> Ace

>

>

>

[Guest Ace Fekay [MVP Directory Services]]

Re: Time diff prevent authentication?

 

 

"MSNews" <carl@anywhere.com> wrote in message

news:uMzChED%23IHA.544@TK2MSFTNGP03.phx.gbl...

> The problem we had was one OU had the ntp turned off and certain servers

> were turned off locally for a previous programmer who was constantly

> setting the clock back to run a demo version of software. One of the

> reasons he is no longer with us...

>

> Carlo

 

Too many fingers in the pot. And why would a programmer have DOmain Admin

rights?

 

Ace