[Samba] AD DC in a container: NTP

Sven Schwedas sven.schwedas at tao.at
Wed Jan 9 11:51:46 UTC 2019

> I guess that confirms it: Using the AD DC as a time source does indeed
> require NTP. For the sake of argument, is it possible to use a machine that
> is not a DC, and potentially not even part of the AD, to serve time to
> other domain members?

That's what Roland said, yes. All AD (in particular the Kerberos part)
really cares about is *consistent* time. Distributing it via DCs is the
easiest, but not the only way.

> And how would you go about automatically pointing
> domain hosts to said machine? Group policy for clients, scripts for
> servers, or is there a simpler way?

DHCP can set NTP servers, YMMV if that's easier with your particular
network setup.

> It seems to me the cleanest way, and closest to best practice, is to keep
> the DC(s) serving time. The obvious exception would be in situations where
> all domain hosts are containerized, then ntp is not needed in any of the
> containers.

You still need to make sure all container hosts have their time
synchronised, obviously.

Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190109/777b6239/signature.sig>

More information about the samba mailing list