- Active Directory Administration Cookbook
- Sander Berkouwer
- 211字
- 2021-06-24 14:42:21
How it works...
The first of the preceding commands instructs the Windows Time Service to synchronize time with the following sources:
- europe.pool.ntp.org
- time.nist.gov
- 192.43.244.18
- 193.67.79.202
A mix of both DNS names and IP addresses is recommended for the /manualpeerlist parameter to avoid time synchronization problems when DNS problems occur within the environment. Also, it hardens time synchronization from DNS poison attacks. However, the IP addresses should be checked regularly to make sure they're still time sources.
The second command stops and then starts the Windows Time Service on the domain controller to make the settings take effect.
Microsoft's recommendation is to have this domain controller synchronize its internal clock with an external time source, so other domain controllers can synchronize their clocks with its clock. The domain controller holding the PDCe FSMO role in additional domain throughout the forest can synchronize their clocks, so that eventually, other servers, networking appliances, and client devices can synchronize their clocks.
Under normal circumstances, time synchronization is not terribly important for Active Directory. For Kerberos authentications, a time difference of up to five minutes is acceptable. However, when domain controllers handle conflicts for multiple changes to the same object, the time stamp of the last change determines the state of the object.