red background with white letters QA

Protecting the Windows Time Service Against Large Time Jumps

Q: How can I protect the Windows Time service running on my domain controllers (DCs) against large time jumps?

A: A large time jump occurs when a DC's time is reset by some external factor to, for example, a year back in time. Large time jumps on a DC can cause massive Kerberos authentication failures for the computers and users in a domain.

Large time jumps on a Windows DC can have different causes. They can be caused by a hardware change, such as the installation of a new motherboard or the replacement of a CMOS battery that failed. They can also originate from a bad external time source if your forest uses an external time provider or a human error (e.g., an administrator incorrectly resets the DC time).

Starting with Windows Server 2003, Windows provides two registry settings that force a DC to do a sanity check on the time it gets from another source (internal or external) to protect against large time jumps. That way, if one DC makes a large time jump, it won't spread the incorrect time to other DCs and cause widespread authentication failures.

The two registry settings are MaxPosPhaseCorrection and MaxNegPhaseCorrection, both of which take REG_DWORD values. They're located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config registry key.

Microsoft considers it an Active Directory (AD) best practice to set the value of MaxPosPhaseCorrection and MaxNegPhaseCorrection to 48 hours on all DCs. The recommended 48 hours can be represented in the registry using the value 2a300 (hexadecimal) or 172800 (decimal). The default value of the two registry entries is to accept any time change or the hexadecimal value 0xFFFFFFFF.

You can also control these registry keys using Group Policy Object (GPO) settings as follows: In the GPO console tree, navigate to Computer Configuration\Policies\Administrative Templates\System\Windows Time Service. Then, in the details pane, double-click Global Configuration Settings. In the Options section of the Global Configuration Settings dialog box, scroll to MaxPosPhaseCorrection and MaxNegPhaseCorrection. Set their values to 172800 (the decimal value for 48 hours), as shown in Figure 1. Click Apply, then OK.

Figure 1: Using GPO Global Configuration Settings to Control the Windows Time Service
Figure 1: Using GPO Global Configuration Settings to Control the Windows Time Service

For more information about these settings, you can consult the TechNet article "AD DS: The value of MaxPosPhaseCorrection on this domain controller should be equal to 48 hours."

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish