As long as internal DNS is advertising your KDCs, (normally domain controllers) it shouldn't be a problem, they should pick up the DNS pointer at the gateway on their first service query.
You have to make sure they sync on the local NTP at the gateway or the KDC is not going to grant them TGTs (it wont even answer the request for a TGT and you get a similar error) because their timestamp and the KDCs' timestamp are separated by a value greater than the KDCs drift parameter. Or you could reset the KDCs drift parameter some ginormous number and hope for the best, but that kind of defeats the purpose of using Kerberos in the first place.
Check local time on one of the failing supplicants with the KDCs local time.
You can try locking them all into the same ntp.pool but that only works if the client remains in contact for it's intermittent syncs with the pool, as soon as it doesn't (somebody turns off their computers, for example) you'll have a repeat of the same issue until they do.
Last edited by dijetlo; 03-06-2015 at 05:35 PM.
|