NTP : Synching PART OF a non-parent AD domain

[Rice Matters]

SYNCHING PART OF A NON-PARENT W2K AD DOMAIN
==================================
I'm currently doing a study on Network Clock Synching for
a European Manufacturing Company. The network is quite
heterogenous with mostly W2K-Active Directory and HP-UX.
I'm not yet decided on the primary reference clock yet but
I think we'll end up using a GPS receiver.

I'd like to confirm some issues though on Windows 2000 AD.

In brief, the company's forest (F), has its parent domain
(P) based in England. My study focusses on the domain (D)
based in France and which belongs to the same forest (F).
I would like to synchronise part of the machines in domaine
(D) to the GPS receiver.

Bearing in mind the fact that W2K authentication (Kerberos
v5) requires that the host be synchronized to the domain
(P)'s Primary Domaine Controller, is it risky to apply an
external clock reference (GPS) only to the domain(D) ?

I've also read that the Windows time distribution service,
Win32Time, implements SNTP which isn't really suited for a
Manufacturing environment, given the high precision
demands. I'm therefore thinking about installing third-
party NTP software. This means that we'll have to disable
the W32Time service for the machines in the domain(D) that
we wish to synchronize. Does this have any impact on
Kerberos' requirements?

Anyone got any ideas on the kind of software that i should
use?

Thank you

 

[Anders]

Bearing in mind the fact that W2K authentication (Kerberos
v5) requires that the host be synchronized to the domain
(P)'s Primary Domaine Controller,

Not quite, it requires that you use a distributed time synch protocol,
exactly which is up to you (AFAIK).
If I understand this correctly, it requires this in order to ensure that
client and server clocks are within 5 minutes of each other.
How you set the clocks is irrelevant.
If the clocks are off by more than five minutes (it is 5, isn't it?),
the authentication will fail. This prevents replay attacks, for example.

Risky?
Not really, IMHO. Depends on your accuracy needs,
doesn't it?

But remember that you can set your domain controllers to
get time from an external source, instead of using the
DC from the forest root domain.
Your workstations will get time from your local domain
controllers.

This means that we'll have to disable
the W32Time service for the machines in the domain(D) that
we wish to synchronize. Does this have any impact on
Kerberos' requirements?

Not that I know. As long as the clocks are set correctly, how you do it
is irrelevant.

But I would think that if you want to use some other time sync software,
I would still make sure it is set to the same time as the forest root domain
PDC emulator. This way, you can skip a couple of layers of the time server
hierarchy, and still be (very probably) in sync with the entire forest.
This assumes that your need is to have your computers in sync with each
other,
and not necessarily synced to exactly correct time.
If the latter is your need, and if the forest root domain time is not set
from some
reliable external source, I would strongly urge you to try to convince the
admins
there to do so. All they have to configure is one machine...

But if kerberos is all you worry about, w32time is probably all you need.

Cheers,
Anders

 

[Guest]

Depending on you budget there's a number of things you could use, such as dedicated devices for supplying a time to synching to a looking at NTP freeware from http://www.ntp.org/ which will allow you to synch your machines to any of a large list of external sources.

See these for more info.
http://www.wilsonmar.com/1clocks.htm
http://www.edu-observatory.org/gps/time.html

Mike.