Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.
Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).
No comments:
Post a Comment