kcn
asked on
Kerberos and NTP Server
Few questions need to be answered :-
1) if our PDC ( Primary Domain Controller ) never configure as NTP Server, can Kerberos
authentication work in domain environment ?
2) From http://support.microsoft.com/kb/816042 link said that , if we configure our PDC based
on Internet Source, the authentication wouldn't work ????
How about if it is reliable Internet Source ??
Above microsoft link is advised us to use own PDC internal clock ?? Am I right ?
1) if our PDC ( Primary Domain Controller ) never configure as NTP Server, can Kerberos
authentication work in domain environment ?
2) From http://support.microsoft.com/kb/816042 link said that , if we configure our PDC based
on Internet Source, the authentication wouldn't work ????
How about if it is reliable Internet Source ??
Above microsoft link is advised us to use own PDC internal clock ?? Am I right ?
ASKER
Hi ,
If we never configure NTP servive on DC , the the Kerberos cannot work properly , Am I right ??
I just want to know without NTP Service in DC , the Kerberos become no meaning ???
If we never configure NTP servive on DC , the the Kerberos cannot work properly , Am I right ??
I just want to know without NTP Service in DC , the Kerberos become no meaning ???
read this for better explanation
http://www.cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#intro-ntp
you can configiure the DC timing useing its internal clock
and then all workstations and other servers will got the timing from the server
http://www.cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#intro-ntp
you can configiure the DC timing useing its internal clock
and then all workstations and other servers will got the timing from the server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any further comment before I assign point .
Thanks .
Thanks .
ASKER
If the PDC has accurate own internal clock but the clients that access PDC do not have accurate internal clock then even kerberos issue tickets to clients but the original good security feature like play back attack will be compromised .. ==> Am I right ???
ASKER
Not completely be answered
on AD are DNS and time. If these work you are normally in pretty good shape. Just point your pdc to an internet time server
Net time /setsntp:<ntpserver> where ntpserver is one of the following.
http://support.microsoft.com/kb/262680
All your domain clients should get there time from the pdc emulator.
Good luck