Domain membership across a firewall

Bill · Jan 20, 2005

We have successfully joined a Windows 2K professional workstation, to a
domain across a firewall. We noticed in the firewall logs that NTP
(Network Time Protocol) port 123 are being denied.

This doesn't surprise me since all Active Directory domain clients sync
their clocks to the domain both when they join, and periodically to
correct clock drift.

Are there any other down-sides to not allowing NTP traffic, other than
clock drift?

Thank you,
Bill

Guest · Jan 20, 2005

As long as you're not doing any domain services (ie DNS, DHCP) on the machine
connected through the firewall, you shouldn't have any issues.

We do the exact samething here and so far have had no issues for the last 6
to 8 months.

ptwilliams · Jan 22, 2005

If the clock drifts more than ten minutes (I think it's ten it could be
five), by default, then you won't be able to logon, as Kerberos uses
time-stamps for tickets and validity, etc.

I would ensure that you allow w32time to run.

For info. here's a list of Windows' ports:
-- http://support.microsoft.com/?id=832017

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net

We have successfully joined a Windows 2K professional workstation, to a
domain across a firewall. We noticed in the firewall logs that NTP
(Network Time Protocol) port 123 are being denied.

This doesn't surprise me since all Active Directory domain clients sync
their clocks to the domain both when they join, and periodically to
correct clock drift.

Are there any other down-sides to not allowing NTP traffic, other than
clock drift?

Thank you,
Bill

Cary Shultz [A.D. MVP] · Jan 22, 2005

Paul,

In Windows 2000 it is five minutes ( by default ). That time skew can be
changed either way, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

ptwilliams · Jan 22, 2005

Ah...that does sound more appropriate.

Thanks for clearing that up Cary.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net

Paul,

In Windows 2000 it is five minutes ( by default ). That time skew can be
changed either way, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Cary Shultz [A.D. MVP] · Jan 22, 2005

No problem. Glad to be there.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

domain membership	1	May 6, 2004
Firewall settings for non-domain machines	1	Jul 6, 2005
Problem joining XP-Pro to WIN2K domain ldap_bind failure - for the ldap or AD gurus	1	Jul 22, 2004
Migration Question	2	Feb 22, 2005
Brief summary: Windows Server 2003/XP Resource Kit Tools	1	Jan 19, 2004
Can only boot WIN2kpro in Safe Mode	1	Oct 22, 2004
Dump of perfection Test	1	Nov 5, 2003
FWT Newsletter - Weekly - August 23, 2004	6	Sep 2, 2004

Domain membership across a firewall

Bill

Guest

ptwilliams

Cary Shultz [A.D. MVP]

ptwilliams

Cary Shultz [A.D. MVP]

Ask a Question

Similar Threads