Windows Time Service and Internet Communication (Windows Server 2003)

Windows Time Service Tools and Settings

Did You know that the time services can break your Active Directory.

Well with the default time settings  you have a +&-  time setting in

MaxPosPhaseCorrection & MaxnegPhaseCorrection normal you should set this to 48 hours 0×2A300 or 172,800 seconds.

But what is the default ? 4,294,967,295 = about 136 years so this means your time between DC can be 136 years different, without killing your AD.  This is fixed in Windows 2008 R2 but I know there are a lot of sites the did not configure this value.

  • The value of the MaxNegPhaseCorrection entry on the domain controller should be equal to 48 hours.

    Note This is not a new rule but an update to an existing rule.
    Before you apply this update, a registry path is incorrectly set to the following location:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxPosPhaseCorrection

    After you apply this update, the registry path is corrected to the following location:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxNegPhaseCorrection

  • Change this !!

    So Set one DC to the NTP server and all others should use NT5DS

    Get more info here :

    Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2 http://support.microsoft.com/kb/980360

    How to configure the Windows Time service against a large time offset http://support.microsoft.com/kb/884776

    Benefits and Purposes of Windows Time Service http://technet.microsoft.com/en-us/library/cc775797(WS.10).aspx

    Windows Time Service http://technet.microsoft.com/en-us/library/bb490845.aspx

    Configure the Windows Time service on the PDC emulator (http://go.microsoft.com/fwlink/?LinkId=91969)

    Configure a client computer for automatic domain time synchronization (http://go.microsoft.com/fwlink/?LinkId=91376)

    Configure a manual time source for a selected client computer (http://go.microsoft.com/fwlink/?LinkId=91377)

    Posted June 7, 2010 by Robert Smit in Deployment

  • Tag