Configuring the Windows Time Service
As discussed in Chapter 8, Windows uses Kerberos version 5 (v5) as the primary authentication mechanism. With Kerberos authentication, computers must have their time closely synchronized in order to be properly authenticated. By default, the maximum allowed time difference is 5 minutes. If the time difference is greater than this value, authentication will fail.
Although you could extend the allowable time difference through domain security policy by using the Kerberos policy Maximum Tolerance For Computer Clock Synchronization, doing so doesn’t get to the root cause of the time divergence. Whether computers are in a domain or workgroup setting, the root cause of time divergence is a lack of time synchronization, ...
Get Active Directory® Administrator's Pocket Consultant now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.