Windows server 2000 and 2003: Time configuration for MaxPosPhaseCorrection and MaxNegPhaseCorrection
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forestĀ should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync. The amount of effort to recover from a dramatic time change can be significant. The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxPosPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxNegPhaseCorrection value to control positive time changes.)
Windows 2000
Path:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
The above values control the largest positive (and negative, for Windows 2000) time correction in seconds that the Windows Time service will allow. If a time change larger than these values is received the Windows Time service will reject it and log an error in the System event log. The default value for domain controllers is 0xFFFFFFFF, which effectively allows for any time change to be accepted.
The general recommendation is to use a lower value. The new default in Windows Server 2008 is a positive/negative value of 48 hours (0×2A300 or 172,800 seconds). An even lower value can be used however the lower the value the more important operational processes and monitoring becomes since there is an increased chance of domain controllers rejecting time changes.
A GPO can also be used to manage the value. Windows 2003 and above natively include GPO settings to control the relevant Windows Time service values. A custom administrative template would be needed to manage Windows 2000 based domain controllers.
For 2003 and above, the GPEditor exposes these settings under \Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings\.
The values that should also be modified for Domain Controlers
are below.
Value name / Default value in GPEditor / Default for a DC
LargePhaseOffset / 1,280,000 / 50,000,000
SpikeWatchPeriod / 90 / 900
MaxPollInterval / 5 / 10
MinPollInterval / 10 / 6
UpdateInterval / 30,000 / 100
PhaseCorrectRate / 1 / 7Value name / Default value in GPEditor / New recomended value for a DC
MaxPosPhaseCorrection / 54000 / 172800
MaxNegPhaseCorrection / 54000 / 172800
To veryify that the settings have been applied open your regisry editor and check the following Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Config
Comments
Got something to say?
You must be logged in to post a comment.