Brad's Tech Blog » AD http://bradstechblog.com Microsoft technologies like: System Center Operations Manager, and whatever else comes up at the office. Sat, 13 Feb 2010 01:59:12 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Windows server 2000 and 2003: Time configuration for MaxPosPhaseCorrection and MaxNegPhaseCorrection http://bradstechblog.com/microsoft-windows-server/windows-server-2000-and-2003-time-configuration-for-maxposphasecorrection-and-maxnegphasecorrection http://bradstechblog.com/microsoft-windows-server/windows-server-2000-and-2003-time-configuration-for-maxposphasecorrection-and-maxnegphasecorrection#comments Tue, 28 Oct 2008 19:20:08 +0000 Brad Hearn http://bradstechblog.com/?p=239 The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forestĀ  should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync. The amount of effort to recover from a dramatic time change can be significant. The registry key(s) are different depending upon the operating system version.

Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxPosPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxNegPhaseCorrection value to control positive time changes.)

Windows 2000
Path:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)

The above values control the largest positive (and negative, for Windows 2000) time correction in seconds that the Windows Time service will allow. If a time change larger than these values is received the Windows Time service will reject it and log an error in the System event log. The default value for domain controllers is 0xFFFFFFFF, which effectively allows for any time change to be accepted.

The general recommendation is to use a lower value. The new default in Windows Server 2008 is a positive/negative value of 48 hours (0×2A300 or 172,800 seconds). An even lower value can be used however the lower the value the more important operational processes and monitoring becomes since there is an increased chance of domain controllers rejecting time changes.

A GPO can also be used to manage the value. Windows 2003 and above natively include GPO settings to control the relevant Windows Time service values. A custom administrative template would be needed to manage Windows 2000 based domain controllers.

For 2003 and above, the GPEditor exposes these settings under \Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings\.

The values that should also be modified for Domain Controlers
are below.

Value name / Default value in GPEditor / Default for a DC

LargePhaseOffset / 1,280,000 / 50,000,000
SpikeWatchPeriod / 90 / 900
MaxPollInterval / 5 / 10
MinPollInterval / 10 / 6
UpdateInterval / 30,000 / 100
PhaseCorrectRate / 1 / 7

Value name / Default value in GPEditor / New recomended value for a DC

MaxPosPhaseCorrection / 54000 / 172800

MaxNegPhaseCorrection / 54000 / 172800

To veryify that the settings have been applied open your regisry editor and check the following Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Config

]]> http://bradstechblog.com/microsoft-windows-server/windows-server-2000-and-2003-time-configuration-for-maxposphasecorrection-and-maxnegphasecorrection/feed 0 Force a user GPO on a computer OU in Microsoft Active Directory http://bradstechblog.com/microsoft-windows-server/force-a-user-gpo-on-a-computer-ou-in-microsoft-active-directory http://bradstechblog.com/microsoft-windows-server/force-a-user-gpo-on-a-computer-ou-in-microsoft-active-directory#comments Fri, 26 Sep 2008 15:45:47 +0000 Brad Hearn http://bradstechblog.com/?p=187 I needed to apply a blank screen saver to all of our servers. Of course I wanted this to be done based on Server and not the logged in user/administrator. The location in the GPO for setting a screen saver is located in… (Click below to read the rest)

the Group Policy snap-in under Local Computer Policy\User Configuration\Administrative Templates\Control Panel\Display

Select Screen Saver Executable name and enter the location of the screen saver you are going to enforce.

Here you can specify the screen saver you want. I am using the blank screen saver

Select ok.

Next you need to enable Loop Back so that the computer OU can use the Users GPO.

Navigate to Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy Loopback processing mode\

You have two choices in this policy. One is to merge the user settings into the computer GPO and the other is to replace. I am going to merge.
This is it. Refresh your GPO and test this.
Remember You will want to create a new computer OU and move your computers or servers into it before you can apply the computer GPO to them.
]]> http://bradstechblog.com/microsoft-windows-server/force-a-user-gpo-on-a-computer-ou-in-microsoft-active-directory/feed 0