Net time can be used to configure the time service and the synchronization hierarchy. Both tools allow you to configure the time hierarchy to use the Windows defaults (as explained above) or to use specially designated time servers. Microsoft provides two tools to configure and diagnose the Windows Time service: net time and w32tm. In organizations that have a Windows forest that's geographically spread out, it's recommended to configure an external time source for each region instead of using a single time source for the entire forest. Many organizations rely on an external time source for time synchronization. The PDC emulator can also be manually set to synchronize with a time source on the Internet. The PDC emulator DC in the root domain of the AD forest is the authoritative time source for the forest.In an AD domain hierarchy, the PDC emulator DCs of a child domain synchronizes time with the PDC emulator in its parent domain.All DCs in the same domain use the DC with the primary DC (PDC) emulator Operations Master role as their DC for time synchronization.All client machines and member servers use their authenticating DC for time synchronization. In an AD forest, the machines use a time hierarchy that follows the following rules: The time service will automatically perform time synchronization at machine startup and at regular intervals (by default, every 8 hours). All Windows machines, starting with Windows 2000 and Windows XP, have the W32time service installed by default. The service responsible for time synchronization between Windows clients and AD domain controllers (DCs) is the Windows Time service (W32time.exe). Setting the time skew too high creates a higher risk for replay attacks. It determines the maximum time skew (in minutes) that Windows will tolerate between client and a server clocks in a Windows Kerberos environment. The allowed time skew can be configured using the Maximum tolerance for computer clock synchronization GPO setting (located in the Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy GPO container). If the difference between the local time and the timestamp is too big, the authentication request is rejected and Kerberos authentication fails. When a Windows server receives a Kerberos authentication request, it compares the timestamp in the request to its local time. Kerberos uses them to protect against replay attacks-where an authentication packet is intercepted on the network and then resent later to authenticate on the original sender's behalf. A: Windows AD needs timestamps for resolving AD replication conflicts and for Kerberos authentication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |