The AD, for security measures, relies on the times being in Synch on
all Machines (no matter what their role) for them to participate in
the domain. It allows for a skew of 5 mins I think. Anything more than
that and you would see all a lot of authentication errors on the
machines with mis-matched dates.
http://www.microsoft.com/resources/.../2003/all/techref/en-us/W2K3TR_times_what.asp
"The Windows Time service is essential to the successful operation of
Kerberos authentication and, therefore, to Active Directory–based
authentication. Any Kerberos-aware application, including most
security services, relies on time synchronization between the
computers that are participating in the authentication request. Active
Directory domain controllers must also have synchronized clocks to
help ensure accurate data replication."
http://support.microsoft.com/default.aspx?scid=224799
http://support.microsoft.com/default.aspx?scid=kb;en-us;258059
http://www.microsoft.com/windows2000/techinfo/howitworks/security/wintimeserv.asp
--
Gautam Anand
e: gautam at hotpop dot com
---------------------------------
| what if I don't use this tool, what happens?
|
| These are not DC's that I am tampering with, just a few member
servers.
| What could happen?
|
|
| | > Check out Time Machine:
http://www.solution-soft.com/timemachine.shtml
| >
| > Do not change the time on any servers without using this software
or
| > something similar, it will break Kerberos authentication.
| >
| > | > >I have several servers, that for testing purposes , need to have
their
| time
| > > changed to something like 6 months ahead of now..
| > >
| > > These servers are part of the Active Directory, but they are not
DCs.
| > >
| > > Is this possible?
| > >
| > > Any side effects?
| > >
| > >
| >
| >
|
|
