Domain membership across a firewall

  • Thread starter Thread starter Bill
  • Start date Start date
B

Bill

We have successfully joined a Windows 2K professional workstation, to a
domain across a firewall. We noticed in the firewall logs that NTP
(Network Time Protocol) port 123 are being denied.

This doesn't surprise me since all Active Directory domain clients sync
their clocks to the domain both when they join, and periodically to
correct clock drift.

Are there any other down-sides to not allowing NTP traffic, other than
clock drift?

Thank you,
Bill
 
As long as you're not doing any domain services (ie DNS, DHCP) on the machine
connected through the firewall, you shouldn't have any issues.

We do the exact samething here and so far have had no issues for the last 6
to 8 months.
 
If the clock drifts more than ten minutes (I think it's ten it could be
five), by default, then you won't be able to logon, as Kerberos uses
time-stamps for tickets and validity, etc.

I would ensure that you allow w32time to run.

For info. here's a list of Windows' ports:
-- http://support.microsoft.com/?id=832017

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


We have successfully joined a Windows 2K professional workstation, to a
domain across a firewall. We noticed in the firewall logs that NTP
(Network Time Protocol) port 123 are being denied.

This doesn't surprise me since all Active Directory domain clients sync
their clocks to the domain both when they join, and periodically to
correct clock drift.

Are there any other down-sides to not allowing NTP traffic, other than
clock drift?

Thank you,
Bill
 
Back
Top