How do you let XP us automatic time updates while still on a domain?

[Intelman07]

If that is absolutely not possible how do you setup a time server and or whats a good time server.

 

[SaigonK]

Originally posted by: Intelman07
If that is absolutely not possible how do you setup a time server and or whats a good time server.

XP should be able to go where it wants for time updates...wether in a domain or not.
YOu need to setup AD to get your machines to time sync to it, or setup a time server on Linux or something similar.

 

[SoulAssassin]

XP will automatically sync time with a DC assuming your running AD. If you' haven't configured time services yet run:

net time /setsntp: ip address

on the PDC emulator and everything else should fall in line. I usually use one of the Navy's time servers but it really doesn't matter although I would stay away from M$'s time servers. I've heard stories of them being up to 7 minutes off.

 

[Intelman07]

What is DC and AD?

 

[Nosaj]

Originally posted by: Intelman07
What is DC and AD?

DC=Domain Controller
AD=Active Directory

 

[Intelman07]

Well i found this article here and it says to do what you described...but i want to make sure i did this right. I did "net time /setsntp:192.5.41.209" at my domain controller. Then i did net time /your domain name /set on a workstation plus those following commands is that all there is to it?

 

[mikecel79]

If your on an Active Directory domain leave your time alone! The time is automatically synched with your domain controller when it initiates the secure channel to the domain controller. It syncs the time because it is part of your Kerberos ticket. By default if your workstation time is off by more than 5 minutes (I think it's 5 minutes maybe 2) you won't be able to authenticate.

If your the admin for this domain first do some reading on domains and then just set the time on your DC and your workstations will synch automatically.

 

[stash]

The time is automatically synched with your domain controller when it initiates the secure channel to the domain controller. It syncs the time because it is part of your Kerberos ticket. By default if your workstation time is off by more than 5 minutes (I think it's 5 minutes maybe 2) you won't be able to authenticate

Yeah, this is mostly right. The default skew time is in fact 5 minutes. This is done to prevent ticket acceptance attacks, where a user can cause a Kerberos server to accept a ticket that has expired, and thus be authenticated. However, if the time listed in the client's ticket does not fall within the acceptable skew time, the client will use the time returned by the server to compensate. This doesn't actually change the client's time, but it changes the time in the ticket sent to the server. This allows a client to authenticate to server in different domains that have different times without having to resync the clock. A client can attempt to reauthenticate four times after receiving the skew error.

The default skew of 5 minutes is also used to prevent replay attacks, where someone captures a ticket and uses it to authenticate. If the Kerberos server (the DC) receives any tickets during the five minutes that have a timestamp that is identical or earlier to the previous message sent by the client, it will not authenticate.

The five period is adjustable by changing the domain security policy.

But yeah, it's not necessary to set a time server using the 'net time /setsntp: ' command on a client. It will automatically sync with a DC. When a machine starts up, it will attempt to sync the time every 45 minutes until it successfully syncs three consecutive times. Then it will sync every eight hours.

 

[SoulAssassin]

Originally posted by: STaSh

But yeah, it's not necessary to set a time server using the 'net time /setsntp: ' command on a client. It will automatically sync with a DC. When a machine starts up, it will attempt to sync the time every 45 minutes until it successfully syncs three consecutive times. Then it will sync every eight hours.

Yup. Generally speaking time services are a fire and forget operation, set the time server on the PDC emulator and everything else falls in line down the river.