Time on Domain is 5 minutes fast

rr-4098 1,176 Reputation points
2024-03-19T17:24:36.82+00:00

I have an issue where my PDC and of the all servers , clients etc... are using the same time which is ~5 minutes fast. I need to correct this but worried about rolling back time and auth issue. Should I roll back the time in 1 minute segment over a couple of days or modify the MaxPosPhaseCorrection in W32Tm as listed in the article below.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/configure-w32ime-against-huge-time-offset

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,860 questions
0 comments
Accepted answer
  1. Marcin Policht 10,675 Reputation points MVP
    2024-03-19T20:01:06.3433333+00:00

    Yes - you should consider correcting the time drift incrementally to avoid Kerberos failures (which, by default, has 5 minute drift tolerance).

    Alternatively, you can modify the default value (as per https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization and change it back to 5 minutes afterwards)

    hth

    Marcin

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 1,780 Reputation points Microsoft Vendor
    2024-03-20T06:01:27.0466667+00:00

    Hello,

    Gradually adjusting the time on the primary domain controller (PDC) is a more secure way to minimize the risk of authentication. You can do this by rolling back the time in small increments (e.g. one minute per day or one minute per day over several days) until the correct time is reached. This helps to avoid sudden changes that can lead to Kerberos authentication, as the Kerberos protocol typically allows for a 5-minute deviation between the time on the client clock and the time on the domain controller's clock. At the same time, to ensure the accuracy of time synchronization, it is recommended that the PDC be configured to synchronize time from an authoritative external time source.

    Be careful to closely monitor the behavior of the system after any changes have been made, and test the impact of the changes in a non-production environment to ensure that there is no adverse impact on the production environment.

    I hope you the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments