I'm currently working with a Win2003/XP network. It has no Internet connection (and cannot have) and no external time source. However, there are 2 domain controllers and the primary has an internal clock good enough that an admin procedure to check it weekly or monthly would be perfectly acceptable. Since (kerberos) authentication depends on timestamps, will everything fall apart if the administrator manually corrects the time on the master by more than a minute or so? If so, is there a way to make it gradually catch up or loose the required minutes, just as it would if it got the time from an external ntp source? Finally, how do I set the thing up? Googling for the solution mainly gives hints involving registry tweaks - not that I'm afraid of tweaking the registry, but it's not the professional way. Currently I have 3 main group policy objects - one for domain controllers, one for other servers, and one for XP clients. Should I set the default policy to ntp client, and then create a new GPO to be applied only to the primary domain controller, overriding that and making it an ntp server? Regards - Philip

You set all domain systems to the server. Install ntp service and use the normal ways to point to that ip as the ntp. It varies on xp version and how you are running each computer. Normally stand alone home editions need the reg edit. "Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10

All domain controllers set to time servers? So if none have an external time source as I said, how would they choose between them which one's BIOS clock to rely on? And how would you know which to periodically correct? Regards - Philip

The ntp server is the master so to speak. There is no way to say bios is correct and ntp is not. You in effect force the time to be the same as ntp server even if it is way wrong. Your lan has to be correct, not the US Navy. "Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10