I should have elaborated on this further
before shipping off that last response. Let me elaborate now:
Our understanding of modern Windows
clients is that all authentication is done through Kerberos. Kerberos
fails if two hosts have a greater time differential than 5 minutes. So for
example, any domain user login that was not
cached already on that workstation, would fail at any unpatched
domain workstations. So, if it’s your workstation and you’ve
already logged in to it before, we think it would work as a cached login –
though in our quick test after logging in we could not start Outlook
(configured with Exchange), and it’s unclear to me if other network
resources would be accessible (we didn’t try). There were a bunch
of errors in the event log as well, dealing with authentication and time issues.
In the other case, a domain workstation where a particular domain user account should
be able to login, but hasn’t yet before, we believe it will fail due to
Kerberos and the time-disconnect.
bh
From: MSU Network
Administrators Group [mailto:[log in to unmask]] On Behalf Of Wolf, Chris
Sent: Friday, February 16, 2007
4:34 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] DST 2007 on
Windows 2000
As far as I can tell, we have six Windows
2000 computers left, all members of our domain, none using Exchange.
Several of them are rarely used. My plan was to just have those users set
the time manually to the correct time on (or about) March 11 and September 28
each year until we replace the computers (which probably won't be that long).
Why wouldn't that work? And even if they don't set it, as long as they aren't
using calendar software, how much does it matter if their clock is wrong?
From: Hoort,
Brian [mailto:[log in to unmask]]
Sent: Friday, February 16, 2007
4:15 PM
To: [log in to unmask]
Subject: [MSUNAG] DST 2007 on
Windows 2000
Greetings:
I contacted Microsoft with the intention of paying them for
the DST patch for Windows 2000 (for those of you sleeping under a rock
W2K is out of M$’s support cycle and they are not distributing
non-security patches to organizations without Extended Support Contracts).
We still have a small percentage of servers that haven’t been replaced
yet. The response was that it would cost $4000.
We’re not paying $4000 for a patch. I
don’t suspect many departments across the University are. So what
are you guys doing? I know
we aren’t the only ones with W2K servers and workstations
lingering… Here, we’ve discussed the following alternatives:
a) One of my
co-workers found a 3rd party company that was giving an unsupported
patch away for free on their web site; sounds great, but, it’s not from
M$ and who knows how well it works come March. I’d feel much safer
if it was from M$.
b) M$ offers
instructions on how to do it manually in KB914387. It’s very
complicated. I wouldn’t trust myself to even copy and paste without
errors, and being a registry patch there would be no feedback as to whether it
was wrong.
c) My limited
understanding of Kerberos and AD/Domain behavior suggests that trying to fake
it out by changing the time won’t work for any machine in the domain (it
seems as though it might for non-domain-members). (Kerberos refuses net
connectivity to any connection more than 5 minutes offset from the DCs –
try it yourself – change your workstation date ahead and try and connect
to Exchange – no go).
d) Could the U.
buy the patch and distribute it, much like U. site licenses? Perhaps we
would all pay a fraction of that cost?
Are you aware of any other options?
Brian Hoort
Business & Personnel Office
Rm. 1 Physical Plant Bldg.
Michigan State University
East Lansing, MI 48824-1215
517-432-0242
[log in to unmask]