5

I have been going through some of the warnings raised by BPA against our DCs to make sure everything is as it should be.

Everything has been going well until I got to the following warnings:

The value of MaxNegPhaseCorrection on the domain controller ********* should be equal to 48 hours

And:

The value of MaxPosPhaseCorrection on the domain controller ********* should be equal to 48 hours

I looked at the article on technet and it states that the registry setting under

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

should be equal to 172800.

From what I have seen every DC I have checked has this registry setting set to 172800. Is the BPA complaining that it is not applied via GPO? Or is there something else wrong here that I should be looking at?

1 Answers1

1

My opinion is that you should not mess with any of those esoteric reg entries such as MaxNegPhaseCorrection at all. Your forest root PDCe should sync with a trusted external time source, and all other Windows clients and servers should be left at default. Use w32tm /unregister and w32tm /register to return all the settings to defaults. Run Windows Update and ensure BPA rules are up to date. It is not necessary to have any Windows Time settings defined via GPO and it is often unnecessary to do so.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • This is bad advice for a Windows 2003. MaxNegPhaseCorrection and MaxPosPhaseCorrection are not set by default, so you need to create the registry entries manually. On Win2k8 or later, those settings should be configured by default, but someone screwing with the system might have changed them (w32tm /unregister and w32tm /register will bring them back). – myron-semack May 13 '14 at 17:42
  • Also, I would recommend using a GPO for the PDCe time service configuration, so that it will endure whenever you upgrade/replace your PDCe in the future. – myron-semack May 13 '14 at 17:43
  • The tags on the question say 2008. I wasn't giving advice for 2003. And I disagree with you on using GPO to modify a single machine, but it's an option. – Ryan Ries May 13 '14 at 17:55
  • Rules may not be up to date. Are these available via WSUS or are they seperate downloads only? As for the time settings they are all set to Domain Hierarchy with the PDC set to the firewall (which then syns externally). I asked a question a while about setting this: http://serverfault.com/questions/367997/incorrect-time-source-on-dcs-server-2008-domain . –  May 14 '14 at 08:47