The time stuff really isn't a terrible burden, a
single Exchange server at idle beats a DC more than time syncing. Probably
the hardest hit DCs would be the local DCs as all of the clients authenticating
against them are also hitting them for time and the auth is far more burdensome
than the time sync is.
One of
the larger orgs I was in (~250k users, ~400 DCs) the original dictate was that
all machines would use the cisco routers for the time because they were the
"official" time source of the company and were all supposed to be correct all of
the time for various network purposes. We found this to be incorrect and
troublesome, time could deviate from seconds to minutes and in one case a router
was misconfigured and off by exactly 24 hours some how. Obviously this
isn't an issue everyone will have but it is a possible issue because you are
taking maintenance of the time out of your own hands.
After
switching to using the internal Windows forest hierarchy time became a
non-issue. Skew was measured in seconds at the most unless there was a hardware
problem which means no time source could help. I have an app I wrote back
in about 2000 or so called ADTD which did a simple check of time deltas between
DCs via rootdse queries and would send the delta in seconds
to errorlevel (also to the screen if you wanted) so it could easily be used
in batch files and scripts. I had a script that used it and watched all of the
DCs and I believe it warned on anything outside of 3 seconds deviation from the
forest root PDC. Running that as a test is when I finally decided once and for
all we weren't going to follow the corporate time policy anymore and instead
sync everything eventually back to the forest root PDC.
All
that to say that I much prefer to use the windows forest time hierarchy than
work up something else, I have had no issues with it in the Org above as well as
when working with other smaller companies (but still Fortune 50 sized).
To the
OP: I recomend you pick a source you trust, be it routers in your corporate
datacenter or an external "national" clock or a hardware device or even some PC
you hand check the time on yourself every day and ANY machines that can become
the forest root PDC gets the same hard configuration to point at that or those
clocks.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 15, 2006 5:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Configuring PDC Emulator for time source
FWIW: I prefer to synch *all* DCs in the forest with an
auth time source. This implies less burden and less dependency on the (root
domain) PDC. I work at larger orgs who have internal auth time sources, which
are synced from external auth time sources.
In a financial institution, this should also mean less time
skew for the clients, since the time hierarchy is flatter than it would be in
the default scenario.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter
Sent: 15 March 2006 10:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Configuring PDC Emulator for time source
Hi,
I have been looking into configuring with Windows Time Source on our
PDCe
http://technet2.microsoft.com/WindowsServer/en/Library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx
How does everyone else configure their corporate environment? Do you use
hardware time clocks? is there any security risks with the link provided
above?
What would the impact be if our PDCe is not already configured?
thanks
James Carter
Yahoo! Travel
Find great deals to the top 10 hottest destinations!
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.