Ehhh...
Okay, I see that people are missing the point that I tried to explain. The
problem is the precedence! When you open a precedence you're (probably)
opening a "door" to problems (for those that work in medium/large systems,
they know what I mean). IMO DCs shouldn't go out to public, it doesn't
matter if is only because the PDCe needs to sync the Time with a reliable
external time source or the importance that the Time service has in a Active
Directory hierarchy. In medium, large systems that can be the argument to
open other things that might be considered low risk value in terms of
security and valuable in terms of internal functionality. What this means
is, is the time service important to Kerberos? Yes. Is Time sync important
to Active Directory? Absolutely. Will Active Directory stop working if the
PDCe doesn't sync its time with an external source? No way. Is it important
to have the correct and most accurate time inside your system? Of course,
you don't want to issue documents to your clients with the incorrect time.
Hum... What is more important: to have the most accurate time in your
internal/external systems or protect your DCs from external time sources?
THEY'RE BOTH IMPORTANT!!! :) - How to solve this? For those you who can
afford, create/expose a dedicated "Box" with one or more
external/internal/reliable Time server and sync your PDCe from there. Keep
in mind that in some companies, time is very, very, very important, and
their applications can't afford to have the %minutes skew that the Kerberos
has configured by default . So How do they solve this problem? They spend
huge amounts of money in boxes and Applications that are smart enough to
sync, compare, calculate and issue the exact/correct/time to their systems,
in some scenarios this can be done at the second :)
Conclusion of all threads:
- Is the best option to have the PDCe sync with external times sources?
Probably not.
-Is the Linksys a crappy router? Yes (just kidding, it's worse than that
:)).
-What Paul's router does? Mushroom cheese steak, cheese fries, and a vanilla
milkshake.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <[email protected]> wrote in message
news:[email protected]...
"Richard B. Gilbert" <[email protected]> wrote in message
news:[email protected]...
Rob wrote:
Jonathan de Boyne Pollard <[email protected]>
wrote:
We use our one of our data centers internal default gateway (Router).
Everything feeds off of that.
It had best work well. It was $100K +.
So what benefit is that $100K extra stratum gaining you? It has to be
more than just splitting the UDP/IP path to the lower stratum servers
in twain. But it's not reliability, because if your router goes down
it still takes your NTP server with it. So what is it? Do you perhaps
The big advantage of such a setup is that all your systems will agree
on the same time. Locally you have short roundtrip time variations so
the polls of the local NTP server have small jitter and are not affected
by the loading of the internet link.
It is usually more important that all systems have the same time, than
that this time is very accurate.
If you can get all systems to agree on the time it's usually no more
difficult to get them to agree on the *correct* time! The rock solid
"beat" of a GPS is easy for most clocks to march to!
Wait a sec, all systems *agree* on a time? It's not a political election
process with time management in an AD infrastructure. The PDC Emulator in
the forest root is the time source for a forest. There is no Klingon
dissention to take over. :-) Just sync that guy, and if it is off,
everything else will be. Nothing to agree or disagree on among machines.
Ace
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
