WinSecWiki > Security Settings > Account Policies > Kerberos Policy > Clock Sync

Maximum Tolerance For Computer Clock Synchronization

This setting determines how far out of sync the domain controller and member computer can be before Kerberos operations fail. To protect against replay attacks Kerberos uses timestamps that are verified against the system's current time which requires all clocks within trusted Kerberos realms (including Windows domains) to be closely synchronized.

Within an AD environment this synchronization happens automatically thanks to the Windows Time Service.

This setting default to 5 minutes.

If a computer is too far out of sync with the domain controller you will get Account Logon failure events in the security log with failure code 0x25.

Bottom line

Leave this at the default unless you have special circumstances requiring more tolerance due to poor time synchronization on your network.

Back to top


Additional Resources