Pau Lo
asked on
MaxPosPhaseCorrection setting
is there a command that can be used to see what the current setting is for MaxPosPhaseCorrection on a domain controller? all adbpa tells you is if you meet the 48 hours best practice recommendation or not? what are the risks, if any, in setting this to a value above or below 48 hours, as the adbpa description of the risk is incredibly vague, e.g. ..."which can cause problems throughout the domain"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Kerberos relies on time to prevent replay attacks. Default Kerberos packet is only valid for 5min. MaxPosPhaseCorrection protects the Windows Time Service against large time jumps that can be used to circumvent Kerberos integrity
ASKER