0

I currently have an active directory that has several child domains (consisting of nothing other than a DC and bespoke application servers) set-up for testing our CRM software, as some of it is date/time sensitive these have been set to dates in the future at some point in the past, which is causing replication errors. I'm working on getting rid of these child domains, but still have a requirement for our testers to be able to time shift.

Does anyone know of any solutions that would allow our test environments to have their time changed (always forward), without affecting the production active directory? Is it as simple as creating a separate Forest on the same LAN or would that interfere with my production Forest?

Thanks for any advice.

Mike1980
  • 1,018
  • 7
  • 15

3 Answers3

2

Given that replication relies on timestamps there IS NO WAY TO DO THAT. Whoever set that up should have read "Active Directory for Beginners" first. Your only good choice is to totally isolate the subdomains into their own independant forests - then they can individually jump in time as they see fit.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • Tell me about it, yet, if I wanted to use cattle prod to teach them, I'd be in the wrong. How is that fair! The fact that the errors seem to indicate that it's been like that for 5 years make me slightly afraid to change things (I have to admit, almost all of my AD experience is with well behaved ADs), but I'm working on fixing this is less frightening than trying to upgrade the schema at some point with the AD as it is. Can more than one AD forest co-exist happily on the same LAN? Is there anything to watch out for? – Mike1980 Apr 28 '10 at 19:12
  • More than one forest can co-exist, provided you don’t have something silly like multiple conflicting DHCP servers :) You can’t have trusts between them, though — Kerberos needs a properly synced time to work, so it will be essentially isolated (right down to the workstations joined to the realm). I’m guessing you can’t fudge it with timezone trickery? – Mo. Apr 28 '10 at 20:25
  • I don't think we'd get much mileage out of timezone trickery, we're talking shifting of years rather than hours or even – Mike1980 Apr 28 '10 at 21:52
2

Exile them into their own forest is about your only hope here. If you set up trusts between the forest you can still access things on either side, and time-sync is less important there. For one, you're no longer doing any kind of global-catalog replication to time-variable domains.

But it is a fundamental requirement of AD forests that all servers agree on a universal time. Time-shifting MIGHT be possible if you expend the effort to create your very own customized time-zones which define a distance from Universal Coordinated Time that the users need. I've never done that, nor do I know if offsets greater than 24 hours are even possible. But if it is, that's the only way to keep such a large offset in your forest.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
0

I second TomTom. Time is important to Active Directory. You can have multiple domains on a single subnet/network/LAN. It's probably your best bet, or make whatever application server you have be a stand alone server off any domain.

sinping
  • 2,055
  • 14
  • 12