Time Skew Vs. Synchronization

In a Windows 2003 AD domain

Is there a time skew range between which a computer will/will not synchronize its clock?

I know Kerberos Authentication, by default, will not occur if the skew is >5min.

(I.E. If workstation time differs from server time by ____ minutes time synchronization fails?)

alexianitAsked:
Who is Participating?
 
Dr. KlahnPrincipal Software EngineerCommented:
Yes, there are time difference adjustement limits for some systems.  Microsoft discusses this in KB884776.

"The Windows 32 time service supports two registry entries, the MaxPosPhaseCorrection and the MaxNegPhaseCorrection."

For Windows XP and Server 2003, "The default value of these two registry entries is 0xFFFFFFFF. This default value means 'Accept any time change.'"  In my experience this is not correct; XP systems out of the box do have limits.

For standalone systems, "The MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries have a default value of 54,000 (15 hours). As a security best practice, we recommend that you reduce this default value. We also recommend that you set the value to 3600 (1 hour) or an even smaller value, depending on time source, on network condition, on poll interval, and on security requirements."
0
 
BatchVCommented:
Hi Have a look at this link, it explains in detail your question

http://support.microsoft.com/?kbid=224799
0
 
michkoCommented:
the referenced article above refers to windows 2000 specifically.  some of the information is still applicable to a server 2003 domain, but not all.

From my understanding, there is not a time skew range between which a computer will not synchronize its clock.  

there is a time skew range of 5 minutes on 2003 domain where things actions differ.

if the time skew is less than 5 minutes ahead, then the computer will slow its clock until it matches the synchronizing server time.

If the time skew is more than 5 minutes ahead, the computer will immediately match to the synchronizing server time.

If the time skew is behind the server time, then the computer will immediately match to the synchronizing server time.

Note that in windows 2000 the actions are the same, but the time skew is 3 minutes instead of 5.

technical reference for Windows Server 2003 and later if you're interested:
http://technet.microsoft.com/en-us/library/cc773061%28WS.10%29.aspx#w2k3tr_times_intro

0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
Dr. KlahnPrincipal Software EngineerCommented:
As a side issue, the MaxPosPhaseCorrection and MaxNegPhaseCorrection limits do not affect changes to and from Daylight Saving Time.
0
 
BatchVCommented:
If workstation can logon to domain it will always correct time automatically however if the time difference is too great than the workstation will fail to logon to domain and you will get an error message warning you about this. I believe this is where the default value of 15hours comes in.
0
 
alexianitAuthor Commented:
Objecting to accept answers.
0
 
alexianitAuthor Commented:
Good answer!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.