?
Solved

Time Skew Vs. Synchronization

Posted on 2011-03-17
8
Medium Priority
?
1,144 Views
Last Modified: 2012-06-21
In a Windows 2003 AD domain

Is there a time skew range between which a computer will/will not synchronize its clock?

I know Kerberos Authentication, by default, will not occur if the skew is >5min.

(I.E. If workstation time differs from server time by ____ minutes time synchronization fails?)

0
Comment
Question by:alexianit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Expert Comment

by:BatchV
ID: 35156542
Hi Have a look at this link, it explains in detail your question

http://support.microsoft.com/?kbid=224799
0
 
LVL 27

Expert Comment

by:michko
ID: 35156718
the referenced article above refers to windows 2000 specifically.  some of the information is still applicable to a server 2003 domain, but not all.

From my understanding, there is not a time skew range between which a computer will not synchronize its clock.  

there is a time skew range of 5 minutes on 2003 domain where things actions differ.

if the time skew is less than 5 minutes ahead, then the computer will slow its clock until it matches the synchronizing server time.

If the time skew is more than 5 minutes ahead, the computer will immediately match to the synchronizing server time.

If the time skew is behind the server time, then the computer will immediately match to the synchronizing server time.

Note that in windows 2000 the actions are the same, but the time skew is 3 minutes instead of 5.

technical reference for Windows Server 2003 and later if you're interested:
http://technet.microsoft.com/en-us/library/cc773061%28WS.10%29.aspx#w2k3tr_times_intro

0
 
LVL 28

Accepted Solution

by:
Dr. Klahn earned 375 total points
ID: 35156869
Yes, there are time difference adjustement limits for some systems.  Microsoft discusses this in KB884776.

"The Windows 32 time service supports two registry entries, the MaxPosPhaseCorrection and the MaxNegPhaseCorrection."

For Windows XP and Server 2003, "The default value of these two registry entries is 0xFFFFFFFF. This default value means 'Accept any time change.'"  In my experience this is not correct; XP systems out of the box do have limits.

For standalone systems, "The MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries have a default value of 54,000 (15 hours). As a security best practice, we recommend that you reduce this default value. We also recommend that you set the value to 3600 (1 hour) or an even smaller value, depending on time source, on network condition, on poll interval, and on security requirements."
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 35156890
As a side issue, the MaxPosPhaseCorrection and MaxNegPhaseCorrection limits do not affect changes to and from Daylight Saving Time.
0
 
LVL 5

Expert Comment

by:BatchV
ID: 35157125
If workstation can logon to domain it will always correct time automatically however if the time difference is too great than the workstation will fail to logon to domain and you will get an error message warning you about this. I believe this is where the default value of 15hours comes in.
0
 

Author Comment

by:alexianit
ID: 35393740
Objecting to accept answers.
0
 

Author Closing Comment

by:alexianit
ID: 35393748
Good answer!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question