6
authorization feature sets. Companies implementing Windows 2003 AD must determine whether to
create a single forest or multiple forest domain infrastructures depending upon manageability, security
requirements between domains and forests, and administrative costs. A single forest is easier to
manage and is ideal for workgroup and departmental environments. However, enterprise
environments may require more administrative control between domains and forests and may need a
multiple forest domain model even though such a model may increase administrative costs within each
domain. Creating separate forests keep environments secure from rogue administrators within the
company.
2.2
Time Synchronization
Administrators should also ensure that system time is accurate and that all servers in the organization
are using the same time source. The Windows Server 2003 W32Time service provides time
synchronization for Windows Server 2003 and Microsoft Windows XP-based computers running in
an Active Directory domain. The W32Time service synchronizes the client clocks of Windows Server
2003-based computers with the domain controllers in a domain. This is necessary for the Kerberos v5
authentication protocol to work properly, as well as NTLMv2. To function correctly, a number of
Windows Server family components rely on accurate and synchronized time. If the clocks are not
synchronized on the clients, the Kerberos v5 authentication protocol might falsely interpret logon
requests as intrusion attempts and deny access to users.
To ensure that the time is accurate, the PDC emulator in the forest root domain can be synchronized to
an external NTP time server. However, doing so may result in a requirement to open ports on the
firewall. NTP uses UDP port 123. Before doing this, weigh the benefits against the potential security
risk of making these configuration changes. Complete the following task to synchronize Windows
2003, and Windows XP systems with an external time source:
1.
Open a
DOS Command Prompt.
2.
Type the following, where PeerList is a comma-separated list of DNS names or Internet protocol (IP)
addresses for the desired time sources:
w32tm /config /syncfromflags:manual /manualpeerlist:PeerList
3.
To update type:
w32tm /config /update
4.
Check the
Event Log.
If the computer cannot reach the servers, the procedure fails and an entry is
written to the
Event Log.
Computer systems running Windows 98, Windows NT 4.0, or Windows 2000 can synchronize their
clocks using the following command in a logon script where <
timecomputer
> is a Windows 2000 or
Windows 2003 domain controller on the network:
net time \\
<timecomputer>
/set /yes
Running this command will synchronize the time clocks in these computers with the time clocks in the
other computers throughout the domain.