Solved

Active Directory Time

Posted on 2015-01-22
14
75 Views
Last Modified: 2015-01-23
Hi,

I have a quick question, what are the consequences of having a member server on a different time zone to its Active Directory Domain?  I have an application that needs to connect to a server in a different time zone (the server in the different time zone and the member server, have to have the same time) and the users in the AD domain connect to this member server for one of our applications.  What problems could this bring up?

Cheers
0
Comment
Question by:minniejp
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40565266
no problems as long as the time is correct
many things actually use GMT though it's displayed in the time zone it is currently in
as long as the server time is correct for that time zone, it will be fine
if a server in boston shows 1pm EST and a server in san francisco shows 10am PST then that is fine
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40565278
The servers will not have issues, any sync is based on UTC. Applications manage time zone handling themselves, so you can't tell in general.
0
 

Author Comment

by:minniejp
ID: 40565369
Thanks all...Is there a scenario where time differences are a problem?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40565461
Yes. I am concerned by this statement, as it is rather ambiguous:

 "the server in the different time zone and the member server, have to have the same time"

If you are saying that a server set to the Pacific timezone and another server set to the Eastern timezone (for example) most both report their local time as 10am instead of accommodating the timezone difference then that *will* be a problem. In order to minimize man-in-the-middle and various replay attacks, the authentication schemes supported by windows (Kerberos, and even NTLM) do not allow a skew of more than a few minutes. And having two servers report the same "local" time but have different timezones is, by definition, a skew of an hour or more, depending on the time difference between the selected timezones.  Most functionality that relies on Active Directory (logins, group policies, etc) will simply not work.

-Cliff
0
 

Author Comment

by:minniejp
ID: 40565919
Thanks Cliff.  I need to change a Server that is a member server within a AD Domain that is in the Pacific Timezone to GMT, allowing it to run an application that is on a Server in the UK (GMT) (both servers need to have the same time).  Users in the AD Domain in the Pacific Timezone then log onto this member server but is this going to work if this server is a number of hours ahead in GMT and the users logging into it are in Pacific?  

In summary, I need this member server to have the same time as the server based in the UK (for this application to work) but i'm not 100% sure of the consequences.  

Cheers
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40565932
Unfortunately your statement about the servers needing to have "the same time" is still ambiguous. If their times would be the same when converted to UTC then you'll have no issues. If they each have a local time that appears the same (so both would claim to be 10AM if viewed side by side) but are in different time zones then that is a significant problem with no good workaround. The phrase "same time" could be interpreted either way as illustrated by the examples above. One is fine. The other is very problematic and the only viable resolution would be to get the application changed to respect timezones.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40565935
That is summarized well. The main issue probably is the application not being able to work with timezone.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:minniejp
ID: 40565963
Thanks for your reply.  As long as the time on both Servers (UK and the one server in US) have the same time (10am) then this is enough.  I don't believe they necessarily need to be on the same time zone.  I was going to change the registry on the US server and tell it to get its time from a UK time Source rather than its own US Domain Controller.
0
 

Author Comment

by:minniejp
ID: 40565966
My worry was around Active Directory and how it would react to a server on the domain having a different time and what problems it may cause in users logging into the Server (they obviously will have a US time and the Server (based in US) will have a UK time).

Sorry for the confusing statements, hopefully I have explained this better than above.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40565983
"As long as the time on both Servers (UK and the one server in US) have the same time (10am) then this is enough.  I don't believe they necessarily need to be on the same time zone."  

That is exactly the scenario you *DON'T* want. Such a configuration would break authentication with the one server where the time doesn't match the appropriate timezone.
0
 

Author Comment

by:minniejp
ID: 40565985
Great! I wanted to be sure I didn't break the Authentication! So, same time on server, with the registry set to a time source in UK and keep in time zone to US!

Cheers Cliff
0
 

Author Comment

by:minniejp
ID: 40566082
Sorry Cliff, I'm just reading your reply again and I think I read it wrong.  Please see below:

Application Server in UK - Time Zone GMT - Time 10am

Application Server in USA - Time Zone UTC  - Time 10am

Domain Controller in USA - Time Zone UTC - Time  5am

Is this scenario OK or should it be:


Application Server in UK - Time Zone GMT - Time 10am

Application Server in USA - Time Zone GMT  - Time 10am

Domain Controller in USA - Time Zone UTC - Time  5am

Thanks for the clarification
Cheers
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40566087
Second scenario. The first will break.
0
 

Author Closing Comment

by:minniejp
ID: 40566103
Thanks Cliff
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now