[ntp:questions] Does NTPClient need to be enabled for clients

Ace Fekay [MVP-DS, MCT] aceman at mvps.RemoveThisPart.org
Sun Feb 14 07:21:53 UTC 2010


"Jorge Silva" <jorgesilva_pt at hotmail.com> wrote in message 
news:6006FF85-DB68-4B1D-AB27-F753E8EF5C5F at microsoft.com...
> Ehhh...
> Okay, I see that people are missing the point that I tried to explain. The 
> problem is the precedence! When you open a precedence you're (probably) 
> opening a "door" to problems (for those that work in medium/large systems, 
> they know what I mean). IMO DCs shouldn't go out to public, it doesn't 
> matter if is only because the PDCe needs to sync the Time with a reliable 
> external time source or the importance that the Time service has in a 
> Active Directory hierarchy. In medium, large systems that can be the 
> argument  to open other things that might be considered low risk value in 
> terms of security and valuable in terms of internal functionality. What 
> this means is, is the time service important to Kerberos? Yes. Is Time 
> sync important to Active Directory? Absolutely. Will Active Directory stop 
> working if the PDCe doesn't sync its time with an external source? No way. 
> Is it important to have the correct and most accurate time inside your 
> system? Of course, you don't want to issue documents to your clients with 
> the incorrect time. Hum... What is more important: to have the most 
> accurate time in your internal/external systems or protect your DCs from 
> external time sources? THEY'RE BOTH IMPORTANT!!! :) - How to solve this? 
> For those you who can afford, create/expose a dedicated "Box" with one or 
> more external/internal/reliable Time server and sync your PDCe from there. 
> Keep in mind that in some companies, time is very, very, very important, 
> and their applications can't afford to have the %minutes skew that the 
> Kerberos has configured by default . So How do they solve this problem? 
> They spend huge amounts of money in boxes and Applications that are smart 
> enough to sync, compare, calculate and issue the exact/correct/time to 
> their systems, in some scenarios this can be done at the second :)
>
> Conclusion of all threads:
> - Is the best option to have the PDCe sync with external times sources? 
> Probably not.
> -Is the Linksys a crappy router? Yes (just kidding, it's worse than that 
> :)).
> -What Paul's router does? Mushroom cheese steak, cheese fries, and a 
> vanilla milkshake.
>
>


I'll take two.

Ace 





More information about the questions mailing list