Microsoft KB Archive/884776

= Configuring the Windows Time service against a large time offset =

Article ID: 884776

Article Last Modified on 4/27/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Service Pack 4

-



INTRODUCTION
Windows includes the W32Time service, the Time Service tool that is used by the Kerberos authentication protocol. Kerberos does not require that the Time Service tool be running. You can turn the Time Service tool off, and Kerberos will work if the time delta between the relevant computers is within the maximum allowed time skew. You can also turn the Time Service tool off, and then install a third-party time service.

The purpose of the Time Service tool is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time. To make sure that there is appropriate common time usage, the Time Service uses a hierarchical relationship that controls authority. Also, the Time Service does not permit loops. By default, Windows-based computers use the following hierarchy:
 * All client desktop computers nominate the authenticating domain controller as their inbound time partner.
 * All member servers follow the same process that client desktop computers follow.
 * All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their inbound time partner.
 * All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner but may use a parent domain controller based on stratum numbering.

In this hierarchy, the PDC operations master at the root of the forest becomes the authoritative time server for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you lower your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy to your domain.



Forest root PDC (authoritative time server)
We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. You must reconfigure the  and   registry entries. Their default value is 0xFFFFFFFF (accept any time change). The recommended value is be 900 (15 minutes) or even lower, depending on time source, network condition, and security requirement. This also depends on the poll interval. We recommend that you set the value of the  registry entry to 10 or less, or that you set value of the   registry entry to 3600 (1 hour) or less. For more information about these registry entries, see the &quot;Windows Server 2003 and Windows XP Time Service registry keys&quot; section.

Domain controllers and member servers inside the domain
The  and   registry entries have a default value of 0xFFFFFFFF (accept any time change). This default value is fine. However, you want additional security inside your domain to help protect against human errors. Depending upon what you want to achieve, you may either leave or modify the default values.

Stand-alone clients
The  and   registry entries have a default value of 54,000 (15 hours). As a security best practice, lower this default value. We recommend that you set the value to 3600 (1 hour) or even lower, depending on time source, network condition, poll interval, and security requirement.

Windows Server 2003 and Windows XP Time Service registry keys
For additional information about the Windows Time service on a Windows Server 2003-based forest, visit the following Web site:

http://technet2.microsoft.com/windowsserver/en/library/A0FCD250-E5F7-41B3-B0E8-240F8236E2101033.mspx

Forest root PDC (authoritative time server)
We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When configure the authoritative time server syncing with Internet time source, there is no authentication for manual mode. You must reconfigure the  registry entry. The default value is 43,200. The recommended value is 900 (15 minutes) or even lower, depending on time source, network condition and security requirement. This also depends on the poll interval. We recommend the poll interval to be one hour (Period = 24). More information about this registry entry may be found in the &quot;Windows Server 2000 SP 4 Registry Key&quot; section later in this article.

Domain controllers and member servers inside the domain
The synchronization type is NT5DS. The time service synchronizes from the domain hierarchy and accepts all time changes. Because NT5DS will accept any time change without considering the time offset, it is very important to set up a reliable forest root time source in the time sync subnet.

Stand-alone clients
The  registry entry has a default value of 43,200 (12 hours). As a security best practice, lower this default value. We recommend the value be 3600 (1 hour) or even lower, depending on time source, network condition, poll interval and security requirement.

Windows Server 2000 SP 4 registry key
Keywords: kbsecurity kbhowto kbinfo KB884776

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.