Windows Time Service Tools and Settings
Did You know that the time services can break your Active Directory.
Well with the default time settings you have a +&- time setting in
MaxPosPhaseCorrection & MaxnegPhaseCorrection normal you should set this to 48 hours 0×2A300 or 172,800 seconds.
But what is the default ? 4,294,967,295 = about 136 years so this means your time between DC can be 136 years different, without killing your AD. This is fixed in Windows 2008 R2 but I know there are a lot of sites the did not configure this value.
Note This is not a new rule but an update to an existing rule.
Before you apply this update, a registry path is incorrectly set to the following location:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxPosPhaseCorrection
After you apply this update, the registry path is corrected to the following location:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxNegPhaseCorrection
Change this !!
So Set one DC to the NTP server and all others should use NT5DS
Get more info here :
Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2 http://support.microsoft.com/kb/980360
How to configure the Windows Time service against a large time offset http://support.microsoft.com/kb/884776
Benefits and Purposes of Windows Time Service http://technet.microsoft.com/en-us/library/cc775797(WS.10).aspx
Windows Time Service http://technet.microsoft.com/en-us/library/bb490845.aspx
Configure the Windows Time service on the PDC emulator (http://go.microsoft.com/fwlink/?LinkId=91969)
Configure a client computer for automatic domain time synchronization (http://go.microsoft.com/fwlink/?LinkId=91376)
Configure a manual time source for a selected client computer (http://go.microsoft.com/fwlink/?LinkId=91377)