Changing AD NTP time source and potential Kerberos authentication problems
Posted on 2014-03-04
I have an AD 2008 domain and am in the process of setting up a reliable outside time source (the domain was originally setup without one, other than using the default PDC). As of now, all servers and workstations are synced to the PDC. My intent is to modify the Default Domain Controllers policy to include the following Windows Time service settings:
NTP Server – (outside time source FQDN)
Type – NTP
There are other settings but you get the idea. This should sync all of my DC’s in the domain with the settings in the NTP Server. Additionally I was going to create a GPO at the default domain level and set the Type to NT5DS which uses the domain hierarchy (I know this is the default for workstations and servers in the domain but doing this should guarantee it).
I have one big concern before I do this, however. Currently the domain PDC is about 13 minutes off of the reliable time source. Once I change the Default Domain to pull the time from the ‘Stratum device’ all of my servers and workstations will be off by 13 minutes. Is this going to cause Kerberos V5 authentication problems with all
of my applications?
If I temporarily change the following GPO setting “Maximum tolerance for
computer clock synchronization” from the current 5 minutes to say 15 minutes before I make Time service settings, will this resolve the Kerberos authentication problems until everything eventually syncs up?