how to and effects of setting time backwards to real time

  • Thread starter Thread starter Ken Hack
  • Start date Start date
K

Ken Hack

Our Windows 2000 servers do not have an external time source set and the PDC
Emulator in the root domain has speed up the network time about 15 minutes.
We have another domain controller in the root and a child domain with 2
domain controllers. There are also about 10 member server delivering
applications ie Exchange, SQL and such.

I know that all the servers and workstations eventually get their time from
the PDC Emulator in the root so logically I would only have to manually set
the time back 15 minutes on this server to get the Network in line.

Is this the correct way to do things or will I be causing some problems.
Should I immediately set all domain controllers to the same time and/or the
Exchange servers as well ?

Do anyone have any tips or gotchas that I need to know ? And yes I will be
setting a proper external time source soon after the change.

Thanks for your assistance,

Ken
 
That's a good question and I don't know the 100 percent right answer but here is my
two cents. Of course time synch is an issue due to the default five minute kerberos
time skew, though domain member computers/users should be able to fall back to
ntlm/ntlmv2 if need be for authentication as downlevel computers use. However Ipsec
policies, if enabled, normally use kerberos machine authentication in a domain.

If you change the pdc fsmo and then synch the servers, I believe you will be OK
particularly if you do it before everyone starts up there computer for the day. You
could probably just restart the Windows time service on the servers. I would start
with a three minute time change to see if it does.

One thing to consider is to temporarily increase the allowed time skew for kerberos
to 30 minutes at the domain level such as Domain Security Policy under security
settings/account policies/kerberos policies. You could do that 24 hours ahead of the
change and then restore it to 5 minutes 24 hours after the change. That would give
you an extra margin for success. --- Steve
 
Back
Top