How does adclient adjust the system time?
Once the system is joined to a domain, adclient synchronizes system time against the domain controller time.
The capabilities are controlled by two values:
adclient.sntp.enabled parameter specifies whether to use the Windows Time Service to keep the local system clock in sync with the domain the computer has joined.
adclient.sntp.poll parameter specifies whether the interval between SNTP clock updates when using the Windows Time Service to keep the local system clock in sync with the domain the computer has joined.
The above are controlled by Active Directory group policies:
Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers > Enable Windows NTP Client
Computer Configuration > Administrative Templates > System > Windows Time Service > SNTP Poll Interval
The poll time is actually the base 2 logarithm of the time in seconds. For example, a value of 6 gives 64 seconds (2**6), and a value of 15 gives 32768 seconds, or 9.1 hours.
Note: This can be managed on a per-server basis too by editing /etc/centrifydc/centrifydc.conf and searching for the above parameters.
Having the NTP service running as well as adclient may cause synchronization issues. This is because the NTP client is trying to synchronize with a NTP Public Pool Time Server while adclient will be trying to synchronize with the domain controller.
Having too great of a synchronization gap between the client and the domain controller will cause the adclient to be disconnected as kerberos relies on this synchronization to work properly. Therefore it is recommended to only have adclient keeping track of time.
You can check if NTP is running by running the following command(s)
# systemctl status ntpd
$ svcs -x svc:/network/ntp4:default
$ ntpdc -c peers