asked on

Kerberos and NTP Server

Few questions need to be answered :-

1) if our PDC ( Primary Domain Controller ) never configure as NTP Server, can Kerberos
authentication work in domain environment ?

2) From http://support.microsoft.com/kb/816042 link said that , if we configure our PDC based
on Internet Source, the authentication wouldn't work ????
How about if it is reliable Internet Source ??

Above microsoft link is advised us to use own PDC internal clock ?? Am I right ?

sfossupport

It depends on how good the time on your machine with the fsmo role of pdc. Kerberos is very picky about time and you have about 5 minutes of variation. The 2 biggest problems
on AD are DNS and time. If these work you are normally in pretty good shape. Just point your pdc to an internet time server

Net time /setsntp:<ntpserver> where ntpserver is one of the following.

http://support.microsoft.com/kb/262680

All your domain clients should get there time from the pdc emulator.

Good luck

kcn

ASKER

Hi ,

If we never configure NTP servive on DC , the the Kerberos cannot work properly , Am I right ??

I just want to know without NTP Service in DC , the Kerberos become no meaning ???

thabash

read this for better explanation
http://www.cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#intro-ntp

you can configiure the DC timing useing its internal clock
and then all workstations and other servers will got the timing from the server

ASKER CERTIFIED SOLUTION

sfossupport

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

kcn

ASKER

Any further comment before I assign point .

Thanks .

kcn

ASKER

If the PDC has accurate own internal clock but the clients that access PDC do not have accurate internal clock then even kerberos issue tickets to clients but the original good security feature like play back attack will be compromised .. ==> Am I right ???

kcn

ASKER

Not completely be answered