You will need:
- one or more Windows Server 2008 R2 (also fully patched Windows Server 2003, 2008) domain controllers, set up in line with Oxford University's Active Directory pages;
- to make sure that time is synchronised with an NTP source. For Kerberos to function properly, all participating hosts must be within five minutes of each other (by default). Point the PDC Emulator in your AD forest to the OUCS NTP servers to achieve this, using the w32time service, configured using this Microsoft authoritative time server configuration procedure.