AD DS: The value of MaxNegPhaseCorrection on this domain controller should be equal to 48 hours

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

The current value of MaxNegPhaseCorrection on this domain controller is not the recommended value.

Impact

If the value of MaxNegPhaseCorrection on this domain controller is less than 48 hours, this domain controller might reject accurate and genuine time updates from other time servers. If the value of MaxNegPhaseCorrection on this domain controller is greater than 48 hours, this domain controller will be able to adopt large fluctuations backward in time, which can cause problems throughout the domain.

Windows operating systems include the Windows Time service (W32time). This service ensures that all the computers in an organization that are running Microsoft Windows operating systems (excluding operating systems earlier than Windows 2000) use a common time. By default, the domain controller that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role at the root of the forest is the authoritative time server for the organization.

A review of time rollbacks has shown that computers can adopt time that can be days, months, years, or even decades in the future or in the past. These time rollbacks can be caused, for example, by hardware failures on domain controllers or the network’s PDC, an incorrect external time source, a failed CMOS battery, or other problems.

The Windows Time service supports two registry entries, MaxPosPhaseCorrection and MaxNegPhaseCorrection, that restrict the samples that the Windows Time service accepts on a local computer when those samples are sent from a remote computer. When a computer that is running in a steady state receives a time sample from its time source, the sample is checked against the phase correction boundaries that the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries impose. If the time sample falls within the limits that the two registry entries enforce, this sample is accepted for additional processing. If the time sample does not fall within these limits, the time sample is ignored.

To prevent this domain controller from rejecting accurate time updates from other time servers and from adopting large fluctuations backward in time, we recommend that you set the value of MaxNegPhaseCorrection on this domain controller to 48 hours.

Resolution

If the Windows Time Service Group Policy settings have been applied to this domain controller, configure the MaxNegPhaseCorrection Group Policy setting to a decimal value of 172800 (48 hours). If the Windows Time Service Group Policy settings have not been applied to this domain controller, set the value of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection to a decimal value of 172800 (48 hours).

If the Windows Time service Group Policy settings have been applied to this domain controller, you can use the following procedure to update the value of the MaxNegPhaseCorrection Group Policy setting.

Membership in Domain Admins, Enterprise Admins, or Group Policy Creator Owners group is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To update the value of the MaxNegPhaseCorrection Group Policy setting

  1. Open the Group Policy Management snap-in. To open Group Policy Management, click Start, click Administrative Tools, and then click Group Policy Management.

  2. In the console tree, select the Group Policy object (GPO) for the Windows Time service that is linked to this domain controller and then open the Group Policy Management Editor snap-in. To open the Group Policy Management Editor, right-click the selected GPO, and then click Edit.

Note

It is not recommended to link your Windows Time Service GPO to the entire domain (in other words, linking it to all domain controllers and member servers in this domain). If you want to configure Windows Time Service for a selected domain controller through Group Policy, we recommend that you create a GPO for Windows Time Service and link it to that specific domain controller.

  1. In the console tree, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then expand Windows Time Service.

  2. In the details pane, double-click Global Configuration Settings.

  3. In Global Configuration Settings, under Options, navigate to MaxNegPhaseCorrection, set the value to 172800 (a decimal value for 48 hours), and then click OK.

If the Windows Time service Group Policy settings have not been applied to this domain controller, you can use the following procedure to update the value of MaxNegPhaseCorrection through the registry.

To update the value of the MaxNegPhaseCorrection registry key

  1. Open the Registry Editor. To open the Registry Editor, click Start, click Run, and then type regedit.

  2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection.

  3. Set the value of MaxNegPhaseCorrection to 172800 (a decimal value for 48 hours).

Additional references

For more information, see article 884776 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=46021).