\n
\u201cThe only reason for time is so that everything doesn’t happen at once.\u201d<\/a><\/strong><\/p>\n At work, I have an integrated authentication system based on Windows Active Directory.\u00a0 All clients, Linux, Unix, and Windows, use Active Directory for user names and passwords.\u00a0 Active Directory is actually a good implementation of Kerberos.\u00a0 It does pretty good LDAP as well.\u00a0 I used some of Scott Lowe’s interoperability blog recipes to get this to work<\/a>, namely this post for Linux<\/a>, and this one for Solaris<\/a>.<\/p>\n One requirement for a reliable Kerberos service is that every clock on every participating machine has to be synchronized.\u00a0 By default Windows domain controllers act as Network Time Protocol (NTP) servers, and Windows clients know to sync with them.\u00a0 We configure our Linux and Unix machines to use them as well.<\/p>\n There’s some issues with using Windows domain controllers as NTP servers…<\/p>\n namely, that their time service was designed to just be “good enough” to keep the clocks within the 5 minutes required for Kerberos. \u00a0By default, they sync with time.microsoft.com, which isn’t particularly accurate<\/a>.<\/p>\n I’m not just talking smack about Microsoft, that’s what they themselves say.<\/a> So the real issue is getting the first domain controller (not called the primary domain controller any more, but in the case of NTP anyway, it still acts like a PDC) set to get its time from an authoritative source.\u00a0 By default, on our Windows 2008 domain controller, it seems to use its hardware clock, which wanders around all over the place, time wise.\u00a0 The rest of the domain controllers by default sync against the first one.<\/p>\n The real solution is to get some Windows friendly hardware attached to the first domain controller, that really does sync with a reliable time source, like the GPS satellites.\u00a0 Where I used to work I bought a actual stratum one time source like this one from Symmetricom<\/a>.\u00a0 <\/span>It worked fine.<\/p>\n So the basic idea is to get the first domain controller (PDC) to sync reliably to a network time source, like 0.us.pool.ntp.org.\u00a0 Then the other domain controllers will be OK.\u00a0 All clients should be pointed at the domain controllers for their time.\u00a0 Micrsoft has lots of Technet articles on this like this one for 2008<\/a>.<\/p>\n Supposedly on the “PDC” (well, first domain controller, anyway) then run this command in a command window as an admin:<\/p>\n I’m not clear if this “sticks”, that is, stays set after a reboot, or if it actually reliably keeps the domain controller synced to “real” time.\u00a0 I’ll update this post as I try it in real life.<\/p>\n On linux clients, \/etc\/ntp.conf should have:<\/p>\n A happy linux client should look something like:<\/p>\n -bash-3.2$ \/usr\/sbin\/ntpq -p dc1 is listed as stratum 1 (st 1) which means that it is the authoritative time source (and is considered atomic clock accurate). \u00a0We are lying, as dc1’s’s reference is “LOCL” which means its own hardware clock, which is some silly Dell BIOS clock, not a real time standard. \u00a0Oh well.<\/p>\n dc2 and dc3 are listed a stratum 2, who reference dc1.<\/p>\n The “offset” is the amount of milliseconds that your server’s clock varies from the source. \u00a033 milliseconds isn’t so bad.<\/p>\n So to recap: Make sure esx servers are set to PDC time. Make sure client machines are set to PDC time: Make sure Solaris servers are set to PDC time: \u201cThe only reason for time is so that everything doesn’t happen at once.\u201d At work, I have an integrated authentication system based on Windows Active Directory.\u00a0 All clients, Linux, Unix, and Windows, use Active Directory for user names and passwords.\u00a0… Continue Reading
\n“Windows Time service is not an exact implementation of the Network Time Protocol (NTP)…”<\/p>\nnet time \/setsntp:\"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org\"\r\n<\/span><\/pre>\nserver dc1.yourdomain.com<\/pre>\n
server dc2.yourdomain.com<\/pre>\n
server dc3.yourdomain.com<\/pre>\n
\nremote\u00a0\u00a0\u00a0\u00a0 refid\u00a0\u00a0\u00a0 st t when poll reach\u00a0\u00a0 delay\u00a0\u00a0 offset\u00a0 jitter
\n=================================================================
\ndc1.yourd .LOCL.\u00a0\u00a0\u00a0\u00a0 1 u\u00a0\u00a0 13\u00a0\u00a0 64\u00a0 377\u00a0\u00a0\u00a0 1.131\u00a0\u00a0 33.984\u00a0 10.680
\ndc2.yourd dc1.yourd\u00a0 2 u\u00a0\u00a0 24\u00a0\u00a0 64\u00a0 377\u00a0\u00a0\u00a0 0.994\u00a0\u00a0\u00a0 4.629\u00a0\u00a0 8.372
\ndc3.yourd dc1.yourd\u00a0 2 u\u00a0\u00a0 19\u00a0\u00a0 64\u00a0 377\u00a0\u00a0\u00a0 1.209\u00a0\u00a0 12.256\u00a0\u00a0 5.845<\/p>\n
\nMake sure the clock on the PDC matches “real” time, like 0.us.pool.ntp.org. \u00a0This has to be manually done every so often. \u00a0Directions at https:\/\/technet.microsoft.com\/en-us\/library\/cc731790%28WS.10%29.aspx<\/a><\/span><\/span>.
\nAs an admin in a cmd window, do:
\nw32tm \/config \/syncfromflags:manual \/manualpeerlist:0.us.pool.ntp.org
\nw32tm \/config \/update
\n(Other dc’s know to follow the PDC. \u00a0They automatically sync to algol.)<\/p>\n
\nAs root (probably need to be on the console, ssh as root is turned off by default in esx):
\nservice ntpd stop
\nntpdate dc1
\nntpdate dc1 (should be darn close the second time, just milliseconds off)
\nservice ntpd start<\/p>\n
\nAs root:
\nservice ntpd stop
\nntpdate algol
\nntpdate algol (should be darn close the second time, just milliseconds off)
\nservice ntpd start<\/p>\n
\nAs root:
\nsvcadm disable ntp
\nntpdate algol
\nntpdate algol (should be darn close the second time, just milliseconds off)
\nsvcadm enable ntp<\/p>\n","protected":false},"excerpt":{"rendered":"