Welcome to the Centrify forums.
See your answers in blue.
- Does installing centrify & joining these systems make them automatically sync time with the AD Domain Controllers?
Yes. This is the behavior by default. - What happens to the ntp.conf time server setting then ?
It's not used.![Smiley Happy]( "Smiley Happy")
- Does AD time take precedence over it ?
Yeap!
More information
In an enterprise, ideally all systems (switches, routers, servers, etc) sync to a consistent time source; however there may be situations where you want to use the NTP settings from your system.
Why do we do this?
As part of making Kerberos work "out of the box" we will by default attempt to synchronize time with Active Directory. Although this is the default behavior, this is completely optional.
To control this behavior, use the adclient.sntp.enabled directive in the /etc/centrifydc/centrifydc.conf file:
# SNTP settings # # If true, adclient will keep the system clock in sync with
# the domain controller. # # This parameter is controlled by the Group Policy # # "Computer Configuration" # -> "Administrative Templates" # -> "System" # -> "Windows Time Service" # -> "Time Providers" # -> "Enable Windows NTP Client" # # adclient.sntp.enabled: true
Commercial customers have the option to use group policy to control this parameter centrally.
If you change this parameter manually, you have to run the sudo adreload command.
I hope this clarifies things.