For the sake of posterity, here is the script and startup/cron tasks I use to keep the time in sync with our Active Directory domain controllers. The first time the script is run (on startup), it stops ntpd and steps the clock via ntpdate. On subsequent runs (every 5 minutes), it slews the clock via ntpdate. This is obviously not ideal solution (which would be for ntpd to work correctly), but it does the job.
run_ntpdate.sh:
#!/bin/sh
NTPD_PIDFILE=/var/db/ntp/ntpd.pid
if [ -f $NTPD_PIDFILE ] && ps -p $(cat $NTPD_PIDFILE) > /dev/null ; then
service ntpd stop > /dev/null
ntpdate -b DC01.DOMAIN.AD DC02.DOMAIN.AD > /dev/null
else
ntpdate -B DC01.DOMAIN.AD DC02.DOMAIN.AD > /dev/null
fi
