Time Service

The time service is an excellent example of how a simple protocol such as SNTP is integrated into the domain functionality. The domain client has an SNTP client locally that is tasked with managing the system clock. It is important that the clock of the domain client be reasonably closely synchronized with the domain controller's clock. The Kerberos protocol, for example, requires that the clocks be synchronized to within five minutes of each other.


Figure 15: Example protocol utilizing domain client ADM

This SNTP client on the domain client is configured, by default, to use a domain controller as its source of time. The SNTP client invokes the locator to identify a candidate domain controller. The time service also uses the RID of the client computer's account in the domain as the Key Identifier in the client NTP request (see [MS-SNTP] section 2.2.1). The SNTP server can use this RID to look up the account for the domain client in the directory. From the directory, the password associated with this account can be used to create a cryptographic check sum of the time stamp for return to the client ([MS-SNTP] section 2.2.2). The SNTP client on the domain client can then verify this checksum, based on the Password element of the ADM.

This example shows how a protocol leverages the same ADM elements as part of the operation of the domain client.