2

This office runs an active directory on windows servers. Some 2003 DCs some 2008 R2 DCs

A user (The QA analyst) requested that he is able to change his time and it not be changed back after 5-10 minutes. The reason is he needs to see different time states for our website.

First off a couple issues spring to mind...

  1. What happens if he forgets to change it back?

  2. Will he be able to continue to use the resources of the domain if his time and date are out of sync? Exchange, shares, even to log on....?

What are some solutions to this issue I am sure this has come up many times in the past. I can see his user account or workstation computer in it's own OU with its own GPO but I am unsure where to go from there.

Campo
  • 1,609
  • 17
  • 33

3 Answers3

2

If the time is off authentication to Network Resources will fail. If the user logs off with the time out of sync all domain authentication for that computer will fail. In order to get back in you would have to unplug from the network and log in using cached credentials.

Cleanest way would probably be to have the user test from a workstation that is not on the domain.

HostBits
  • 11,796
  • 1
  • 25
  • 39
2

As long as he is not making changes to active directory the impact to the environment will be minimal. The user may have problems getting group policy updates and may have issues authenticating (but that can be fixed with a time reset and reboot) You will have to:

  1. sync time to a nonexistent timesource see Windows Time Service Tools and Settings this will prevent the domain from automatically repairing the time
  2. change the time manually.

you can keep the users machine in sync and allow him to have a time difference on a virtual machine rather than his workstation (windows virtual machine will allow this)

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • Thank you for providing an actual solution. Much appreciated. I will discuss these options with the QA. – Campo Mar 24 '11 at 20:01
1

The protocols used to contact domain controllers (specifically Kerberos) are based on the computer's time. All sorts of authentication errors can result from messing with the time. generally, a time skew of more than 5 minutes will give you problems.

More info on how Kerberos works here: http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • Agreed. So what is a good alternative. This is a requirement for our Website Development. I can only think of using a VM that's not connected to the domain. – Campo Mar 24 '11 at 19:46
  • 2
    A non-domain VM would be my first choice, yes. – Hyppy Mar 24 '11 at 19:48