Maximum tolerance for computer clock synchronization Many security services, especially authentication, rely on an accurate computer clock to perform their jobs. You should ensure computer time is accurate and that all servers in your organization use the same time source. The Windows Server 2003 W32Time service provides time synchronization for Windows Server 2003 and Microsoft Windows XP?based computers that run in an Active Directory domain. The W32Time service synchronizes the clocks of Windows Server 2003?based computers with the domain controllers in a domain. This synchronization is necessary for the Kerberos protocol and other authentication protocols to work properly. To function correctly, a number of Windows Server family components rely on accurate and synchronized time. If the clocks are not synchronized on the clients, the Kerberos authentication protocol might deny access to users. Another important benefit that time synchronization provides is event correlation on all of the clients in your enterprise. Synchronized clocks on the clients in your environment ensure that you can correctly analyze events that take place in uniform sequence on those clients throughout the organization. The W32Time service uses the Network Time Protocol (NTP) to synchronize clocks on computers that run Windows Server 2003. In a Windows Server 2003 forest, time is synchronized by default in the following manner: - The primary domain controller (PDC) emulator operations master in the forest root domain is the authoritative time source for the organization. - All PDC operation masters in other domains in the forest follow the hierarchy of domains when they select a PDC emulator with which to synchronize their time. - All domain controllers in a domain synchronize their time with the PDC emulator operations master in their domain as their inbound time partner. - All member servers and client desktop computers use the authenticating domain controller as their inbound time partner. To ensure that the time is accurate, the PDC emulator in the forest root domain can be synchronized to an authoritative time source, such as a reliable NTP source or a highly accurate clock on your network. Note that NTP synchronization uses UDP port 123 traffic. Before you synchronize with an external server, you should weigh the benefits of opening this port against the potential security risk. Also, if you synchronize with an external server that you do not control, you risk configuring your servers with the incorrect time. The external server could be compromised or spoofed by an attacker to maliciously manipulate the clocks on your computers. As explained earlier, the Kerberos authentication protocol requires synchronized computer clocks. If they are not synchronized, a denial of service may occur.

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy!Maximum tolerance for computer clock synchronization (2) WMI: root\rsop\computer#RSOP_SecuritySettingNumeric#Setting#KeyName='MaxClockSkew'