Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1662: How does adclient adjust system time (ntp/sntp)?

Authentication Service ,  

19 March,18 at 11:54 PM

Question:

How does adclient adjust the system time?


Answer:

Once the system is joined to a domain, adclient synchronizes system time against the Domain Controller time.

The capabilities are controlled by two values:

adclient.sntp.enabled: true
adclient.sntp.poll: 15

adclient.sntp.enabled parameter specifies whether to use the Windows Time Service to keep the local system clock in sync with the domain the computer has joined.

adclient.sntp.poll parameter specifies whether the interval between SNTP clock updates when using the Windows Time Service to keep the local system clock in sync with the domain the computer has joined. 

The above are controlled by Active Directory group policies:

Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers > Enable Windows NTP Client

Computer Configuration > Administrative Templates > System > Windows Time Service > SNTP Poll Interval


The poll time is actually the base 2 logarithm of the time in seconds. For example, a value of 6 gives 64 seconds (2**6), and a value of 15 gives 32768 seconds, or 9.1 hours. 

Note: This can be managed on a per-server basis too by editing /etc/centrifydc/centrifydc.conf and searching for the above parameters.

Additional Information:
Having the NTP service running as well as adclient may cause syncronization issues. This is because the NTP client is trying to syncronize with a NTP Public Pool Time Server while adclient will be trying to syncronize with the domain controller. 

Having too great of a syncronization gap between the client and the domain contoller will cause the adclient to be disconnected as kerberos relies on this syncronization to work properly. Therefore it is recommended to only have adclient keeping track of time.

You can check if NTP is running by running the following command(s) 

RedHat, CentOS:
# systemctl status ntpd
# ntpstat

Solaris:
$ svcs -x svc:/network/ntp4:default

Ubuntu:
$ ntpdc -c peers

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.