Configuring the Windows Time service against a large time offset (884776)


The information in this article applies to:

  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server SP4

INTRODUCTION

Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Time Service tool is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time. To make sure that there is appropriate common time usage, the Time Service uses a hierarchical relationship that controls authority. Also, the Time Service does not permit loops. By default, Windows-based computers use the following hierarchy:
  • All client desktop computers nominate the authenticating domain controller as their inbound time partner.
  • All member servers follow the same process that client desktop computers follow.
  • All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their inbound time partner.
  • All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner but may use a parent domain controller based on stratum numbering.
In this hierarchy, the PDC operations master at the root of the forest becomes the authoritative time server for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you lower your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy to your domain.

MORE INFORMATION

Microsoft Windows XP Professional and Microsoft Windows Server 2003, all editions

Domain servers

Forest root PDC (authoritative time server) We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. You must reconfigure the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries. Their default value is 0xFFFFFFFF (accept any time change). The recommended value is be 900 (15 minutes) or even lower, depending on time source, network condition, and security requirement. This also depends on the poll interval. We recommend that you set the value of the MaxPollInterval registry entry to 10 or less, or that you set value of the SpecialPollInterval registry entry to 3600 (1 hour) or less. For more information about these registry entries, see the "Windows Server 2003 and Windows XP Time Service registry keys" section.Domain controllers and member servers inside the domainThe MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries have a default value of 0xFFFFFFFF (accept any time change). This default value is fine. However, you want additional security inside your domain to help protect against human errors. Depending upon what you want to achieve, you may either leave or modify the default values.

Stand-alone clients

The MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries have a default value of 54,000 (15 hours). As a security best practice, lower this default value. We recommend that you set the value to 3600 (1 hour) or even lower, depending on time source, network condition, poll interval, and security requirement.

Windows Server 2003 and Windows XP Time Service registry keys

Registry EntryMaxPosPhaseCorrection
PathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
NotesThis entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event. Special case: 0xFFFFFFFF means always make time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).
Registry EntryMaxNegPhaseCorrection
PathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
NotesThis entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Special case: -1 means always make time correction, The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).
Registry EntryMaxPollInterval
PathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
NotesThis entry specifies the largest interval, in log seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested. The default value for domain members is 10. The default value for stand-alone clients and servers is 15.
Registry EntrySpecialPollInterval
PathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
NotesThis entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.
For additional information about the Windows Time service on a Windows Server 2003-based forest, visit the following Web site:

http://technet2.microsoft.com/windowsserver/en/library/A0FCD250-E5F7-41B3-B0E8-240F8236E2101033.mspx

Windows 2000 Service Pack 4 (SP4), all editions

Domain servers

Forest root PDC (authoritative time server)We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When configure the authoritative time server syncing with Internet time source, there is no authentication for manual mode. You must reconfigure the MaxAllowedClockErrInSecs registry entry. The default value is 43,200. The recommended value is 900 (15 minutes) or even lower, depending on time source, network condition and security requirement. This also depends on the poll interval. We recommend the poll interval to be one hour (Period = 24). More information about this registry entry may be found in the "Windows Server 2000 SP 4 Registry Key" section later in this article.Domain controllers and member servers inside the domainThe synchronization type is NT5DS. The time service synchronizes from the domain hierarchy and accepts all time changes. Because NT5DS will accept any time change without considering the time offset, it is very important to set up a reliable forest root time source in the time sync subnet.

Stand-alone clients

The MaxAllowedClockErrInSecs registry entry has a default value of 43,200 (12 hours). As a security best practice, lower this default value. We recommend the value be 3600 (1 hour) or even lower, depending on time source, network condition, poll interval and security requirement.Windows Server 2000 SP 4 registry key
Registry EntryMaxAllowedClockErrInSecs
PathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
NotesSpecifies the maximum allowed clock change in seconds. Log an event if it occurs and no time adjusting to help protect any suspicious timestamp. The default value for domain members is 43,200.
Modification Type:MajorLast Reviewed:6/20/2006
Keywords:kbSecurity kbhowto kbinfo KB884776
©2004 Microsoft Corporation. All rights reserved.