In a large environment with site’s are located in different geographical locations, most of the administrators have confused with time services and how it’s works, in this article am going to explain a detailed description of the time service and how it operates
Active directory uses the Kerberos for authenticating users and computers in a domain
Am not going to explain the Kerberos authentication process, just how the Kerberos uses the time for authentication
When the server receives request for authentication (the ticket), it check for client’s clock time. The server then checks the client’s time to make sure that it falls within the server’s time and the allowable skew and client time should be unique not the same as or earlier than the time of another authenticator
If the client’s time falls within the allowable skew and its timestamp is unique, the server then slightly modifies the contents of the original authenticator and re-encrypts it with the client’s secret key, establishing mutual authentication. The server then acknowledges the client by sending the modified authenticator with the client’s original timestamp back to the client for identification
Client’s clock time should sync with the server (Domain controllers) clock time in order to get successful authentication
Time synchronization in an Active Directory
In a normal Active Directory environment PDC emulator is acting as a time server, PDC emulator is located in the forest root domain and is connected to an external time source. The external time source holds the position of greatest accuracy, or stratum one. The PDC emulator is at stratum two. The forest root domain can also be called the parent domain, and each domain under the parent or forest root can be called a child domain. Any domain controller that accesses time directly from the PDC emulator of the forest root domain is designated as stratum three
Related Articles