Hi Smart Folks.,

We have a large test lab environment running a custom built set of
applications for dealing with huge transaction volumes supporting the
financial sector.

Our clients, financial institutions, want to test the custom
application. No problem. However they also want to simulate
quarter-ends and year-ends by flipping dates and times backwards and
forwards, in order of months or years.

Thanks to w32time we cannot change the time on one system for long
without impact, or without time sync correcting it.

Moving time forward on the entire test environment, I dont foresee many
support issues. My question is, when we move time backwards, on an
established environment with populated DNS and existing objects, what
impacts can be expected or at least planned for?


The infrastructure is based on Windows 2003 Server R2, using AD, in a
single forest with empty root domain and a single child domain for now.
Each domain has 2x GC's. Each GC runs as a DNS server also. There
are no "client computers" since the clients are all servers running
various portions of the custom application in a private network
environment, as it will be in production.

The time structure currently has the PDC emulator in root domain
synching time via NTP with our internal host as stratum 1, child domain
PDC synchs from root domain and all devices within the child synching
from this server.

Replication is simple in the lab, single site, high speed network.

DNS is a single zone, AD integrated.

Anything else I forgot to add?

Appreciate your time,
Mikel

> Our clients, financial institutions, want to test the custom
> application. No problem. However they also want to simulate
> quarter-ends and year-ends by flipping dates and times backwards and
> forwards, in order of months or years.
>
> Thanks to w32time we cannot change the time on one system for long
> without impact, or without time sync correcting it.

I would try to set up a small test environment that is not AD and that has
no outside (Internet) connectivity. Let them test there.

-Frank

Until the smart people get online, I'll add a few thoughts that might .


Time is one component in an AD environment that is the most delicate.
That's because Kerberos depends heavily on it, or rather makes use of it to
prevent attacks. I would expect changing the time backwards and forwards and
sideways and up and down would pose significant risks to your test
environment the same as it would in a production environment.

While you might get away with changing the time like that without issue (not
likely you would get away with it consistently), I would highly suggest you
consider having an off-line GC/DNS for each domain before you change time
information. That would speed your recovery down to removing the blown dc's
(format), starting the off-lines, removing the metadata (much easier in R2),
reconfiguring your time source, seizing the roles and rejoining the servers
if needed. If you don't need them, you have nothing to worry about right?
These off-lines could easily be virtual machines to save hardware, space,
etc. but be sure you've read the documents related to putting DC's in
virtual machines.

Al






"Mikel Pirie" <replic8ster@gmail.com> wrote in message
news:1157635867.954948.56200@b28g2000cwb.googlegro ups.com...
> Hi Smart Folks.,
>
> We have a large test lab environment running a custom built set of
> applications for dealing with huge transaction volumes supporting the
> financial sector.
>
> Our clients, financial institutions, want to test the custom
> application. No problem. However they also want to simulate
> quarter-ends and year-ends by flipping dates and times backwards and
> forwards, in order of months or years.
>
> Thanks to w32time we cannot change the time on one system for long
> without impact, or without time sync correcting it.
>
> Moving time forward on the entire test environment, I dont foresee many
> support issues. My question is, when we move time backwards, on an
> established environment with populated DNS and existing objects, what
> impacts can be expected or at least planned for?
>
>
> The infrastructure is based on Windows 2003 Server R2, using AD, in a
> single forest with empty root domain and a single child domain for now.
> Each domain has 2x GC's. Each GC runs as a DNS server also. There
> are no "client computers" since the clients are all servers running
> various portions of the custom application in a private network
> environment, as it will be in production.
>
> The time structure currently has the PDC emulator in root domain
> synching time via NTP with our internal host as stratum 1, child domain
> PDC synchs from root domain and all devices within the child synching
> from this server.
>
> Replication is simple in the lab, single site, high speed network.
>
> DNS is a single zone, AD integrated.
>
> Anything else I forgot to add?
>
> Appreciate your time,
> Mikel
>

My first thought

From a testing perspective (if you did stick with AD) you could set the PDCe
to sync with its internal clock. It will remove the typical stratum setup but
will then contain the time within the AD forest. Kerberos doesn't care if it
is the right time just that the time is the same within the realm. The only
disadvantage is you wouldn't want to do this for an extended time and
financial testers may get a bit twitchy.

"Mikel Pirie" wrote:

> Hi Smart Folks.,
>
> We have a large test lab environment running a custom built set of
> applications for dealing with huge transaction volumes supporting the
> financial sector.
>
> Our clients, financial institutions, want to test the custom
> application. No problem. However they also want to simulate
> quarter-ends and year-ends by flipping dates and times backwards and
> forwards, in order of months or years.
>
> Thanks to w32time we cannot change the time on one system for long
> without impact, or without time sync correcting it.
>
> Moving time forward on the entire test environment, I dont foresee many
> support issues. My question is, when we move time backwards, on an
> established environment with populated DNS and existing objects, what
> impacts can be expected or at least planned for?
>
>
> The infrastructure is based on Windows 2003 Server R2, using AD, in a
> single forest with empty root domain and a single child domain for now.
> Each domain has 2x GC's. Each GC runs as a DNS server also. There
> are no "client computers" since the clients are all servers running
> various portions of the custom application in a private network
> environment, as it will be in production.
>
> The time structure currently has the PDC emulator in root domain
> synching time via NTP with our internal host as stratum 1, child domain
> PDC synchs from root domain and all devices within the child synching
> from this server.
>
> Replication is simple in the lab, single site, high speed network.
>
> DNS is a single zone, AD integrated.
>
> Anything else I forgot to add?
>
> Appreciate your time,
> Mikel
>
>

Off the top of my head:

Moving the time forward on your DCs may cause passwords to expire
prematurely

It will also cause tombstones to get cleaned up prematurely which may impact
your AD restore/recovery strategy.

Workstations will sync time with the DCs, and depending on how long the test
is, you may affect only a subset of workstations in your domains. This will
affect entries in log files, update services/patch management servers and
antivirus consoles. These entries may be made for dates in the future and
screw up reporting and summaries.

Scheduled jobs may run unexpectedly and do cleanups or other things you
don't want to happen.

Messages received on mail servers in the domain during the test may be
timestamped wrong.

Only you can tell what impact it will have in your environment.

Mikel Pirie wrote:
> Hi Smart Folks.,
>
> We have a large test lab environment running a custom built set of
> applications for dealing with huge transaction volumes supporting the
> financial sector.
>
> Our clients, financial institutions, want to test the custom
> application. No problem. However they also want to simulate
> quarter-ends and year-ends by flipping dates and times backwards and
> forwards, in order of months or years.
>
> Thanks to w32time we cannot change the time on one system for long
> without impact, or without time sync correcting it.
>
> Moving time forward on the entire test environment, I dont foresee
> many support issues. My question is, when we move time backwards, on
> an established environment with populated DNS and existing objects,
> what impacts can be expected or at least planned for?
>
>
> The infrastructure is based on Windows 2003 Server R2, using AD, in a
> single forest with empty root domain and a single child domain for
> now. Each domain has 2x GC's. Each GC runs as a DNS server also.
> There are no "client computers" since the clients are all servers
> running various portions of the custom application in a private
> network environment, as it will be in production.
>
> The time structure currently has the PDC emulator in root domain
> synching time via NTP with our internal host as stratum 1, child
> domain PDC synchs from root domain and all devices within the child
> synching from this server.

In an AD environment the only way you can have members showing different
time is by placing them in different time zones. Which can only give you a
(+ or -) 12 hr, differential. Anything more than that is considered a
security risk.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Here is an article I tracked down eveeeentually in another post which
greatly assisted me although its not comprehensive, definitely useful.


http://support.microsoft.com/?kbid=289668

Hard to find, since most time questions relate to misconfiguration of
the topology or only one system that is out of sync.

My question has related only to setting a complete environment, rolling
back and forward the time repeatedly.

Thanks to all those who took the time to respond.

/\/\ikel

So, what did you decide to do? Do this within AD? Or, on stand-alone
machines?

-Frank

"Mikel Pirie" <replic8ster@gmail.com> wrote in message
news:1157659915.915450.277350@m79g2000cwm.googlegr oups.com...
>
> Here is an article I tracked down eveeeentually in another post which
> greatly assisted me although its not comprehensive, definitely useful.
>
>
> http://support.microsoft.com/?kbid=289668
>
> Hard to find, since most time questions relate to misconfiguration of
> the topology or only one system that is out of sync.
>
> My question has related only to setting a complete environment, rolling
> back and forward the time repeatedly.
>
> Thanks to all those who took the time to respond.
>
> /\/\ikel
>

Once you move a domain forward in time, you do not want to move it back
and use it. Timestamps, etc that get stamped on objects will be
permanently screwed up because several things that stamp only look at
the last stamp and if the new stamp that would be produced is less than
the old stamp, there will not be an update.

So if you do this, do it with a temp forest that you will wipe at the
end of the test.

For example, note some of the results of some tests I did over a year
ago to one of my test forests....

dn:CN=2K3DC02,OU=Domain Controllers,DC=joe,DC=com
>lastLogonTimestamp: 08/31/2006-00:29:42 Eastern Standard Time

dn:CN=2K3UTL01,CN=Computers,DC=joe,DC=com
>lastLogonTimestamp: 06/04/2006-09:13:48 Eastern Standard Time

dn:CN=HP-ML,CN=Computers,DC=joe,DC=com
>lastLogonTimestamp: 05/11/2006-12:47:59 Eastern Standard Time

dn:CN=2K3EXC01,CN=Computers,DC=joe,DC=com
>lastLogonTimestamp: 08/20/2500-10:14:52 Eastern Standard Time

dn:CN=fastmofo,CN=Computers,DC=joe,DC=com
>lastLogonTimestamp: 08/20/2500-10:22:06 Eastern Standard Time

dn:CN=2K3EXC02,CN=Computers,DC=joe,DC=com
>lastLogonTimestamp: 07/11/2006-17:44:55 Eastern Standard Time


If you need to do this sort of testing, set up forests with the
different times from scratch, do not roll test forests backward and
forward, you do not know what you are playing with and what the impacts
could be on the forest.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Mikel Pirie wrote:
> Hi Smart Folks.,
>
> We have a large test lab environment running a custom built set of
> applications for dealing with huge transaction volumes supporting the
> financial sector.
>
> Our clients, financial institutions, want to test the custom
> application. No problem. However they also want to simulate
> quarter-ends and year-ends by flipping dates and times backwards and
> forwards, in order of months or years.
>
> Thanks to w32time we cannot change the time on one system for long
> without impact, or without time sync correcting it.
>
> Moving time forward on the entire test environment, I dont foresee many
> support issues. My question is, when we move time backwards, on an
> established environment with populated DNS and existing objects, what
> impacts can be expected or at least planned for?
>
>
> The infrastructure is based on Windows 2003 Server R2, using AD, in a
> single forest with empty root domain and a single child domain for now.
> Each domain has 2x GC's. Each GC runs as a DNS server also. There
> are no "client computers" since the clients are all servers running
> various portions of the custom application in a private network
> environment, as it will be in production.
>
> The time structure currently has the PDC emulator in root domain
> synching time via NTP with our internal host as stratum 1, child domain
> PDC synchs from root domain and all devices within the child synching
> from this server.
>
> Replication is simple in the lab, single site, high speed network.
>
> DNS is a single zone, AD integrated.
>
> Anything else I forgot to add?
>
> Appreciate your time,
> Mikel
>