AD Time sync
08-10-2017 06:58 AM
Hello, I am new to Centrify so please excuse if this is a repeated question. I have installed Centrify Express on our Ubuntu 14.04 and 16.04 systems. I am able to successfully login using our AD accounts. Does installing centrify & joining these systems make them automatically sync time with the AD Domain Controller ? Before installing centrify , i had hardcoded settings in the local ntp.conf file of each linux machine to point to a time server. What times to this ntp.conf time server setting then ? Does AD time take precedence over it ?
Solved! Go to Solution.
08-10-2017 07:55 AM
Welcome to the Centrify forums.
See your answers in blue.
- Does installing centrify & joining these systems make them automatically sync time with the AD Domain Controllers?
Yes. This is the behavior by default.
- What happens to the ntp.conf time server setting then ?
It's not used.
- Does AD time take precedence over it ?
In an enterprise, ideally all systems (switches, routers, servers, etc) sync to a consistent time source; however there may be situations where you want to use the NTP settings from your system.
Why do we do this?
As part of making Kerberos work "out of the box" we will by default attempt to synchronize time with Active Directory. Although this is the default behavior, this is completely optional.
To control this behavior, use the adclient.sntp.enabled directive in the /etc/centrifydc/centrifydc.conf file:
# SNTP settings # # If true, adclient will keep the system clock in sync with
# the domain controller. # # This parameter is controlled by the Group Policy # # "Computer Configuration" # -> "Administrative Templates" # -> "System" # -> "Windows Time Service" # -> "Time Providers" # -> "Enable Windows NTP Client" # # adclient.sntp.enabled: true
Commercial customers have the option to use group policy to control this parameter centrally.
If you change this parameter manually, you have to run the sudo adreload command.
I hope this clarifies things.