On 2015-02-17 10:42, [email protected] wrote:
Currently, my employer has a single AD domain where devices joined to it get their time via the domain server. However, we are looking at starting to configure some of these devices to get their time via NTP. My concern here is if there is a sufficiently significant time differential between the devices getting their time via NTP and services that get their time via AD that those services might just break. I'm talking about services such as NetBIOs (WINS, SMB), LDAP and SSL. I'm familiar with Kerberos' default permitted time differential of 5 minutes.
All Windows domains get their time from the Primary Domain Controller Emulator. Set up your PDCe to get its time from your best NTP servers every 1024 seconds, and set up your DCs, servers, and clients to get time from their DCs every 1024s; you can set this up with GPOs as documented on MSDN and MS Technet. Run NTP, synced to your best NTP servers, on any systems which are not in your domain and which provide services. You can schedule Windows ntpdate on your DCs and other domain servers to query the offset and delay between them and your best NTP servers to ensure they stay within your required bounds: suggest max 128ms offset as that is the maximum NTP corrects without stepping, lower if all your servers show lower offsets. -- Take care. Thanks, Brian Inglis _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
