Windows 7 / Networking

Time Synchronization

Active Directory Domain Services uses Kerberos as the primary authentication protocol within the domain, and Kerberos requires all computers to be set to within five minutes of each other. If not, the trust relationship with the machine account is lost.

When a computer first authenticates in a domain, it is issued a ticket-granting ticket (TGT) from a Key Distribution Center (KDC). Then when the computer wants to access any resources, it presents the TGT and requests a ticket for the resource. However, if a computer is more than five minutes out of sync, the KDC will no longer issue tickets and the computer will not be able to access resources.

Computers within a domain are synchronized as shown in Figure below. One domain controller holds the role of a primary domain controller (PDC) emulator. It is commonly configured to synchronize with an external time source.

All domain controllers get their time from the PDC emulator. Then when a domain computer is turned on and authenticates with a domain controller, the client synchronizes its time with the domain controller.

This works great as long as a user doesn't change the time on their computer. If a user does change their time (or date) so that it is more than five minutes off, the computer will effectively be kicked off the domain, at least until it's rebooted and synchronizes with a domain controller.

When the system time is changed and the system is kicked off the network, it's sometimes challenging to identify why. However, this is a great example of how rebooting a system often clears up the problems.

Time synchronization in a domain
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows 7 in a Domain
  2. The Domain
  3. What is Wrong with Workgroups
  4. The Domain Concept
  5. Active Directory
  6. Domain Security
  7. Joining a Domain
  8. Windows 7 Offline Domain Join
  9. Browsing the Domain
  10. Searching the Domain
  11. Custom Searches
  12. Assigning Permissions to Domain Members
  13. The Double-Thick Security Trick
  14. Creating a Test Bed
  15. Creating a Domain
  16. Installing Windows Server 2008 on vPC
  17. Configuring a Windows Server 2008 Server
  18. Promoting a Server to a Domain Controller
  19. Joining Windows 7 to a Domain
  20. Authentication vs Authorization
  21. Authentication
  22. Authorization
  23. Built-in Groups
  24. Organizing Users with Groups
  25. Group Scope and Group Type
  26. Creating Users and Groups in a Domain
  27. Using HomeGroup with a Domain-Based Computer
  28. Identifying and Resolving Logon Issues
  29. Hardware vs. Network
  30. Using Cached Credentials
  31. Password Expiration
  32. Determining Logon Context
  33. Logon Hours Compliance
  34. Restricting Computer Access
  35. Time Synchronization
  36. Understanding User Profiles
  37. Standard Profiles
  38. Roaming Profiles
  39. Implementing Roaming Profiles
  40. Mandatory Profiles
  41. Super-Mandatory User Profiles
  42. Modifying the Default User Profile
  43. Configuring Settings with Scripts
  44. Anti-Malware Software
  45. Microsoft Windows 7 Defender
  46. Third-Party Anti-malware Software