 |
 |
But even in that case, as long as you could log on, you could reset the clock manually to the correct time, and from then on everything would be fine, right? _____ From: Hoort, Brian [mailto:[log in to unmask]] Sent: Friday, February 16, 2007 4:58 PM To: [log in to unmask] Subject: Re: [MSUNAG] DST 2007 on Windows 2000 I should have elaborated on this further before shipping off that last response. Let me elaborate now: Our understanding of modern Windows clients is that all authentication is done through Kerberos. Kerberos fails if two hosts have a greater time differential than 5 minutes. So for example, any domain user login that was not cached already on that workstation, would fail at any unpatched domain workstations. So, if it's your workstation and you've already logged in to it before, we think it would work as a cached login - though in our quick test after logging in we could not start Outlook (configured with Exchange), and it's unclear to me if other network resources would be accessible (we didn't try). There were a bunch of errors in the event log as well, dealing with authentication and time issues. In the other case, a domain workstation where a particular domain user account should be able to login, but hasn't yet before, we believe it will fail due to Kerberos and the time-disconnect. bh _____ From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Wolf, Chris Sent: Friday, February 16, 2007 4:34 PM To: [log in to unmask] Subject: Re: [MSUNAG] DST 2007 on Windows 2000 As far as I can tell, we have six Windows 2000 computers left, all members of our domain, none using Exchange. Several of them are rarely used. My plan was to just have those users set the time manually to the correct time on (or about) March 11 and September 28 each year until we replace the computers (which probably won't be that long). Why wouldn't that work? And even if they don't set it, as long as they aren't using calendar software, how much does it matter if their clock is wrong? _____ From: Hoort, Brian [mailto:[log in to unmask]] Sent: Friday, February 16, 2007 4:15 PM To: [log in to unmask] Subject: [MSUNAG] DST 2007 on Windows 2000 Greetings: I contacted Microsoft with the intention of paying them for the DST patch for Windows 2000 (for those of you sleeping under a rock W2K is out of M$'s support cycle and they are not distributing non-security patches to organizations without Extended Support Contracts). We still have a small percentage of servers that haven't been replaced yet. The response was that it would cost $4000. We're not paying $4000 for a patch. I don't suspect many departments across the University are. So what are you guys doing? I know we aren't the only ones with W2K servers and workstations lingering. Here, we've discussed the following alternatives: a) One of my co-workers found a 3rd party company that was giving an unsupported patch away for free on their web site; sounds great, but, it's not from M$ and who knows how well it works come March. I'd feel much safer if it was from M$. b) M$ offers instructions on how to do it manually in KB914387. It's very complicated. I wouldn't trust myself to even copy and paste without errors, and being a registry patch there would be no feedback as to whether it was wrong. c) My limited understanding of Kerberos and AD/Domain behavior suggests that trying to fake it out by changing the time won't work for any machine in the domain (it seems as though it might for non-domain-members). (Kerberos refuses net connectivity to any connection more than 5 minutes offset from the DCs - try it yourself - change your workstation date ahead and try and connect to Exchange - no go). d) Could the U. buy the patch and distribute it, much like U. site licenses? Perhaps we would all pay a fraction of that cost? Are you aware of any other options? Brian Hoort Business & Personnel Office Rm. 1 Physical Plant Bldg. Michigan State University East Lansing, MI 48824-1215 517-432-0242 [log in to unmask]