Time Skew Vs. Synchronization

Posted on 2011-03-17
Medium Priority
Last Modified: 2012-06-21
In a Windows 2003 AD domain

Is there a time skew range between which a computer will/will not synchronize its clock?

I know Kerberos Authentication, by default, will not occur if the skew is >5min.

(I.E. If workstation time differs from server time by ____ minutes time synchronization fails?)

Question by:alexianit
  • 2
  • 2
  • 2
  • +1

Expert Comment

ID: 35156542
Hi Have a look at this link, it explains in detail your question

LVL 27

Expert Comment

ID: 35156718
the referenced article above refers to windows 2000 specifically.  some of the information is still applicable to a server 2003 domain, but not all.

From my understanding, there is not a time skew range between which a computer will not synchronize its clock.  

there is a time skew range of 5 minutes on 2003 domain where things actions differ.

if the time skew is less than 5 minutes ahead, then the computer will slow its clock until it matches the synchronizing server time.

If the time skew is more than 5 minutes ahead, the computer will immediately match to the synchronizing server time.

If the time skew is behind the server time, then the computer will immediately match to the synchronizing server time.

Note that in windows 2000 the actions are the same, but the time skew is 3 minutes instead of 5.

technical reference for Windows Server 2003 and later if you're interested:

LVL 32

Accepted Solution

Dr. Klahn earned 375 total points
ID: 35156869
Yes, there are time difference adjustement limits for some systems.  Microsoft discusses this in KB884776.

"The Windows 32 time service supports two registry entries, the MaxPosPhaseCorrection and the MaxNegPhaseCorrection."

For Windows XP and Server 2003, "The default value of these two registry entries is 0xFFFFFFFF. This default value means 'Accept any time change.'"  In my experience this is not correct; XP systems out of the box do have limits.

For standalone systems, "The MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries have a default value of 54,000 (15 hours). As a security best practice, we recommend that you reduce this default value. We also recommend that you set the value to 3600 (1 hour) or an even smaller value, depending on time source, on network condition, on poll interval, and on security requirements."
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

LVL 32

Expert Comment

by:Dr. Klahn
ID: 35156890
As a side issue, the MaxPosPhaseCorrection and MaxNegPhaseCorrection limits do not affect changes to and from Daylight Saving Time.

Expert Comment

ID: 35157125
If workstation can logon to domain it will always correct time automatically however if the time difference is too great than the workstation will fail to logon to domain and you will get an error message warning you about this. I believe this is where the default value of 15hours comes in.

Author Comment

ID: 35393740
Objecting to accept answers.

Author Closing Comment

ID: 35393748
Good answer!

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question