Solved

Active Directory Time

Posted on 2015-01-22
14
78 Views
Last Modified: 2015-01-23
Hi,

I have a quick question, what are the consequences of having a member server on a different time zone to its Active Directory Domain?  I have an application that needs to connect to a server in a different time zone (the server in the different time zone and the member server, have to have the same time) and the users in the AD domain connect to this member server for one of our applications.  What problems could this bring up?

Cheers
0
Comment
Question by:minniejp
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40565266
no problems as long as the time is correct
many things actually use GMT though it's displayed in the time zone it is currently in
as long as the server time is correct for that time zone, it will be fine
if a server in boston shows 1pm EST and a server in san francisco shows 10am PST then that is fine
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40565278
The servers will not have issues, any sync is based on UTC. Applications manage time zone handling themselves, so you can't tell in general.
0
 

Author Comment

by:minniejp
ID: 40565369
Thanks all...Is there a scenario where time differences are a problem?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40565461
Yes. I am concerned by this statement, as it is rather ambiguous:

 "the server in the different time zone and the member server, have to have the same time"

If you are saying that a server set to the Pacific timezone and another server set to the Eastern timezone (for example) most both report their local time as 10am instead of accommodating the timezone difference then that *will* be a problem. In order to minimize man-in-the-middle and various replay attacks, the authentication schemes supported by windows (Kerberos, and even NTLM) do not allow a skew of more than a few minutes. And having two servers report the same "local" time but have different timezones is, by definition, a skew of an hour or more, depending on the time difference between the selected timezones.  Most functionality that relies on Active Directory (logins, group policies, etc) will simply not work.

-Cliff
0
 

Author Comment

by:minniejp
ID: 40565919
Thanks Cliff.  I need to change a Server that is a member server within a AD Domain that is in the Pacific Timezone to GMT, allowing it to run an application that is on a Server in the UK (GMT) (both servers need to have the same time).  Users in the AD Domain in the Pacific Timezone then log onto this member server but is this going to work if this server is a number of hours ahead in GMT and the users logging into it are in Pacific?  

In summary, I need this member server to have the same time as the server based in the UK (for this application to work) but i'm not 100% sure of the consequences.  

Cheers
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40565932
Unfortunately your statement about the servers needing to have "the same time" is still ambiguous. If their times would be the same when converted to UTC then you'll have no issues. If they each have a local time that appears the same (so both would claim to be 10AM if viewed side by side) but are in different time zones then that is a significant problem with no good workaround. The phrase "same time" could be interpreted either way as illustrated by the examples above. One is fine. The other is very problematic and the only viable resolution would be to get the application changed to respect timezones.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40565935
That is summarized well. The main issue probably is the application not being able to work with timezone.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:minniejp
ID: 40565963
Thanks for your reply.  As long as the time on both Servers (UK and the one server in US) have the same time (10am) then this is enough.  I don't believe they necessarily need to be on the same time zone.  I was going to change the registry on the US server and tell it to get its time from a UK time Source rather than its own US Domain Controller.
0
 

Author Comment

by:minniejp
ID: 40565966
My worry was around Active Directory and how it would react to a server on the domain having a different time and what problems it may cause in users logging into the Server (they obviously will have a US time and the Server (based in US) will have a UK time).

Sorry for the confusing statements, hopefully I have explained this better than above.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40565983
"As long as the time on both Servers (UK and the one server in US) have the same time (10am) then this is enough.  I don't believe they necessarily need to be on the same time zone."  

That is exactly the scenario you *DON'T* want. Such a configuration would break authentication with the one server where the time doesn't match the appropriate timezone.
0
 

Author Comment

by:minniejp
ID: 40565985
Great! I wanted to be sure I didn't break the Authentication! So, same time on server, with the registry set to a time source in UK and keep in time zone to US!

Cheers Cliff
0
 

Author Comment

by:minniejp
ID: 40566082
Sorry Cliff, I'm just reading your reply again and I think I read it wrong.  Please see below:

Application Server in UK - Time Zone GMT - Time 10am

Application Server in USA - Time Zone UTC  - Time 10am

Domain Controller in USA - Time Zone UTC - Time  5am

Is this scenario OK or should it be:


Application Server in UK - Time Zone GMT - Time 10am

Application Server in USA - Time Zone GMT  - Time 10am

Domain Controller in USA - Time Zone UTC - Time  5am

Thanks for the clarification
Cheers
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40566087
Second scenario. The first will break.
0
 

Author Closing Comment

by:minniejp
ID: 40566103
Thanks Cliff
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now