Tech Support > Microsoft Windows > Windows Server > Problem after begin of daylilgh saving
Problem after begin of daylilgh saving
Posted by André Carvalho on November 3rd, 2004


Now we are running on daylight saving in Brazil.

We have the following problem:
- Member servers that have daylight saving disabled are unable to access
member servers that have daylight savings enabled.

And it’s a fact:
- Member servers that have daylight saving enabled are able to access member
servers that have daylight savings disabled.

We are running with same date/time in every server but we have different
daylight saving configurations. Some servers (that work with a external
network, as an extranet) have the daylight saving feature enabled. All other
servers don't. These servers are in same domain.
Workstations don’t have daylight saving enabled too. In the same way, these
workstations cannot access servers with daylight saving enabled.
We, up to now, couldn't understand the problem. Is it a time Kerberos ticket
problem? Is it a windows daylight saving configuration problem? How can we
keep these strange configuration working (we have to have different daylight
saving working on same domain)?

Thanks,
André

Active Directory domain running on Windows Server 2003
Kerberos Policy: Maximum tolerance for computer clock synchronization set up
to 120 minutes

Posted by Glenn L on November 4th, 2004


This is a kerberos issue.
The quickest way to deal with this is to increase the kerberos max tolerance
to greater than one hour.

Kerberos uses UTC time rather than system time, and it sees these systems as
being 1 hour off.

The daylight savings setting is an offset from UTC time.
http://setiathome.ssl.berkeley.edu/utc.html

--
Glenn L

CCNA, MCSE (2000,2003) + Security
"André Carvalho" <André Carvalho@discussions.microsoft.com> wrote in message
news:3C138AD6-94B6-4651-A5E6-D3CC500585BC@microsoft.com...


Posted by André Carvalho on November 5th, 2004


The problem was exactly that. But at the time of the first post I've already
changed this configuration (the last phrase of post).
I called microsoft and they found that although the policy has been
implemented it was not been applied.
They gave a work around:
to create a registry key called "Parameters" in
HKLM\CCSET\CONTROL\LSA\Kerberos\ and add a DWORD value called "SkewTime" with
the desired value (the same value as policy Maximum tolerance for computer
clock has).


"Glenn L" wrote:


Similar Posts