Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

MaxPosPhaseCorrection setting

is there a command that can be used to see what the current setting is for MaxPosPhaseCorrection on a domain controller? all adbpa tells you is if you meet the 48 hours best practice recommendation or not? what are the risks, if any, in setting this to a value above or below 48 hours, as the adbpa description of the risk is incredibly vague, e.g. ..."which can cause problems throughout the domain"
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

thanks.... what are the risks, if any, in setting this to a value above or below 48 hours, as the adbpa description of the risk is incredibly vague, e.g. ..."which can cause problems throughout the domain"
Kerberos relies on time to prevent replay attacks. Default Kerberos packet is only valid for 5min. MaxPosPhaseCorrection protects the Windows Time Service against large time jumps that can be used to circumvent Kerberos integrity