(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)
Posted by Jorge on 2010-09-26
In the previous post (part 2) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role by using GPOs and a WMI filter. After configuring the DC in the forest root AD domain with an external time source, you want or need to make sure no excessive time jumps occur back or forward on any DC in the AD forest. When excessive time jumps occur you will experience issues with AD replication, Kerberos authentication, object recovery, etc.
The configuration on DCs that prevents such an excessive time jump can either be achieved through local registry configurations or through GPOs. The GPO settings can be configured in the GPOs mentioned earlier and there GPO settings are:
- GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours)
- GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours)
By default, the OS (W2K3 and higher) implements a period of 48 hours before the current time and 48 hours after the current time. If the time jump falls within the defined intervals, the time jump is accepted and processed. If the time jump falls outside the defined intervals, the time jump is not accepted and therefore also not processed. This is very good to prevent serious damage to your AD forest. What I do not understand is why Microsoft has chosen a default value of 48 hours. Personnally I still find that interval too big. I would choose an interval that’s more close to 10 or 15 minutes as an acceptable time jump. Taking an interval of 15 minutes into account, the XYZ would be 900 seconds.
For more information about protecting DCs from processing a time jump that’s too large see the links ‘Configuring the Time Service: Max[Pos/Neg]PhaseCorrection‘, ‘Preventing large time offset problems‘ and ‘How to configure the Windows Time service against a large time offset‘.
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
(2010-09-26) Configuring And Managing The Windows Time Service (Part 4) « Jorge's Quest For Knowledge! said
[…] the previous post (part 3) I discussed how to configure the DCs so that these do not accept and therefore do not time jumps […]
LikeLike
(2011-07-11) The Impact Of FSMO Roles Not Being Available « Jorge's Quest For Knowledge! said
[…] (Part 1)", "Configuring And Managing The Windows Time Service (Part 2)", "Configuring And Managing The Windows Time Service (Part 3)" and "Configuring And Managing The Windows Time Service (Part 4)", ['2'] Any […]
LikeLike
Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations « Jorge's Quest For Knowledge! said
[…] (2010-09-26) Configuring And Managing The Windows Time Service (Part 3) […]
LikeLike
(2011-10-23) Best Practices For The Default Domain Policy And The Default Domain Controllers Policy GPOs « Jorge's Quest For Knowledge! said
[…] (Part 1)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)” and “(2010-09-26) Configuring And Managing The Windows Time Service (Part […]
LikeLike
Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN) « Jorge's Quest For Knowledge! said
[…] (2010-09-26) Configuring And Managing The Windows Time Service (Part 3) […]
LikeLike
Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy said
[…] Industry Blog: Configuring And Managing The Windows Time Service (Part 3) […]
LikeLike