Hi,
Am 02.11.2017 um 15:21 schrieb mj via samba:> So, as a minimum, you *have* to configure the DC with the PDC Emulator
> role as a time source (config according to to wiki page) and your
> clients will sync with it.
>
> Doing this is mandatory.
The domain works without a time source. However, it is recommended that
all DCs and domain members synchronize their time. If the time of your
DCs/servers/clients differs more than 5 minutes, access is denied. For
details, search for Kerberos + replay attack.
> And your other two options are:
>
> 1) configure (and enable) the default settings with a GPO, in which case
> windows will sync with time.windows.com,0x9
> or
>
> 2) use your own DCs as time source, in which case some DCs (or all of
> them) have to be configured according to the aforementioned page.
You can use any NTP server even without signing. You just need to append
the right flags to the NTP server name in the GPO.
> If you choose this option 2, it might be a good idea to include in the
> wiki page that it is possible to use MULTIPLE DCs as time source, and
> you need to space-seperate them.
I added the information.
> Alternatively, perhaps it is clever to use the samba domain dns name, as
> that should also give you all DCs, and thus redundancy..?
I think this should not be recommended. Not all DCs may have an NTP
service configured.
If I am correct, then Windows tries the first entry of the list, then
the second, ... However, if you set the domain name, then this is only
one entry. Windows clients would only try the first IP that is returned.
If this fails, the NTP client won't try others in this round, because
there is only one entry (even if it resolves to multiple IPs).
Anyway, this is an advanced usage and users who are interested in more
details, should look at the MS documentation. In our docs, we should
focus on our software, and not document other companies software in
detail. :-)
Regards,
Marc