After 8 to 12 hours some clients get booted from the network
Hi,
I have a difficult to solve problems that I havent been able to get help on previously so im going to take another try at it.
We have a single windows 2003 domain. We have two DC's at headquarters. All of our machines are virtualized on ESX. All clients are windows XP Sp1 and Sp2. Each runs symantec corporate antivirus. Some people have been affected by this and after a few months the problem goes away, others always have this problem every day and must reboot to gain access again.
The problem: All times CST.
At around 3 to 5 pm, users will be printing, using email, saving documents on the server etc. When suddenly they receive theses errors:
Client one - in picture error #1 - "Windows Needs your current credentials to ensure network connectivity"
Client Two - errors # 2- Multiple errors see screenshots
At that time they will not be able to print, exchange goes from connected to offline, and they cannot access any files shares even on NAS devices that authenticate through AD. The only way we have found to fix this is to reboot the computer.
Things I have checked:
1. Time on each machine is almost exactly the same as the server and other workstations that are not having this problem.
2. Logon hours, etc in AD are set to allow all the time.
3. Network cards are not set to go into powersave.
4. In windows and the bios machines are set to always on and no powersaving features are enabled.
This one has me stumped, help!
errors.JPG
I have a difficult to solve problems that I havent been able to get help on previously so im going to take another try at it.
We have a single windows 2003 domain. We have two DC's at headquarters. All of our machines are virtualized on ESX. All clients are windows XP Sp1 and Sp2. Each runs symantec corporate antivirus. Some people have been affected by this and after a few months the problem goes away, others always have this problem every day and must reboot to gain access again.
The problem: All times CST.
At around 3 to 5 pm, users will be printing, using email, saving documents on the server etc. When suddenly they receive theses errors:
Client one - in picture error #1 - "Windows Needs your current credentials to ensure network connectivity"
Client Two - errors # 2- Multiple errors see screenshots
At that time they will not be able to print, exchange goes from connected to offline, and they cannot access any files shares even on NAS devices that authenticate through AD. The only way we have found to fix this is to reboot the computer.
Things I have checked:
1. Time on each machine is almost exactly the same as the server and other workstations that are not having this problem.
2. Logon hours, etc in AD are set to allow all the time.
3. Network cards are not set to go into powersave.
4. In windows and the bios machines are set to always on and no powersaving features are enabled.
This one has me stumped, help!
errors.JPG
ASKER
Hmm. Each machine has different hardware ones a white box while the other is a Dell laptop so they have different nics, but the same problem so I am leaning away from that. Also the Dell at least was loaded recently and had the newest drivers applied at that time. We use the time sync that is built into the domain, should we be using something else? All of the servers have the newest patches for everything as of last week.
Any chance your DHCP server is giving an 8-hour lease? Seems coincidental to me that many DHCP servers are defaulted to this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
this could be another one of your issues:
http://support.microsoft.com/kb/259922
http://support.microsoft.com/kb/259922
ASKER
The DHCP was a good idea, but ours is set to 8 Days.
I like JTOCCO idea of the 10 hours. I am almost positive this happens after 10 hours to these people. It just so happens a user called me just a little bit ago and said he got here at 6:30 am and his machine disconnected from exchange. When I went to his machine it could get to everything except outlook/exchange was asking for his password. Usually he wouldnt be able to access anything until a reboot. So I ran the klist tool and got the below: (I took out our company name and changed the server names)
Cached Tickets: (11)
Server: krbtgt/company.com@company
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: krbtgt/company.com@company
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: cifs/svr-b03.company.com@c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: exchangeMDB/svr-b99.compan
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: exchangeAB/svr-b03.company
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: exchangeRFR/svr-b99.compan
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: cifs/SVR-500a.company.com@
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: cifs/SVR-500a@company.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: cifs/svr-b13.company.com@c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: ldap/SVR-B13.company.com/c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: LDAP/SVR-B13.company.com@c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
That confirms the 10 hour thing. I then closed outlook and re-opened it and to my surprise it connected again. So does this confirm its our Kerbos keys expiring?
I like JTOCCO idea of the 10 hours. I am almost positive this happens after 10 hours to these people. It just so happens a user called me just a little bit ago and said he got here at 6:30 am and his machine disconnected from exchange. When I went to his machine it could get to everything except outlook/exchange was asking for his password. Usually he wouldnt be able to access anything until a reboot. So I ran the klist tool and got the below: (I took out our company name and changed the server names)
Cached Tickets: (11)
Server: krbtgt/company.com@company
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: krbtgt/company.com@company
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: cifs/svr-b03.company.com@c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: exchangeMDB/svr-b99.compan
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/12/2008 2:47:20
Renew Time: 12/18/2008 16:47:20
Server: exchangeAB/svr-b03.company
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: exchangeRFR/svr-b99.compan
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: cifs/SVR-500a.company.com@
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: cifs/SVR-500a@company.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: cifs/svr-b13.company.com@c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: ldap/SVR-B13.company.com/c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
Server: LDAP/SVR-B13.company.com@c
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2008 16:33:26
Renew Time: 12/18/2008 6:33:26
That confirms the 10 hour thing. I then closed outlook and re-opened it and to my surprise it connected again. So does this confirm its our Kerbos keys expiring?
I think you are right on target.
The default setting for a clients Kerberos ticket TGT is 10 hours. You might consider setting that for a day.
The default setting for a clients Kerberos ticket TGT is 10 hours. You might consider setting that for a day.
ASKER
How would I go about doing that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I thought you might like this info. Not many change this setting, so it was a bit hard to find.
http://windowsitpro.com/article/articleid/15313/how-can-i-change-the-ticket-lifetime-used-by-kerberos.html
The ticket needs to be within 10 minutes to 7 days. The ticket is renewed every time the person logs in. So, I wouldn't set this to long. Maybe 14 hours at most for those people with no life outside of work.
http://windowsitpro.com/article/articleid/15313/how-can-i-change-the-ticket-lifetime-used-by-kerberos.html
The ticket needs to be within 10 minutes to 7 days. The ticket is renewed every time the person logs in. So, I wouldn't set this to long. Maybe 14 hours at most for those people with no life outside of work.
ASKER
I this advice is spot on. I am sure changing the "Maximum lifetime for user ticket" will band-aid the problem.. I wonder why most clients such as my desktop work just fine while less than 10 percent have this issue. We are all at the same location, etc. I have been asked to find and enabled kerebos logging on the clients that have this problem and maybe it will show details of why its actually happening. Does anyone know how to do this? Maybe I should start a new request as this one is lengthy!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Kerberos Logging: http://support.microsoft.com/kb/262177
Remember to turn it off when you are done!
I would caution on changing these defaults? They are in place for security reasons.
Remember to turn it off when you are done!
I would caution on changing these defaults? They are in place for security reasons.
This link may help you. I'm thinking it may be an issue with the NIC or the drivers bound to the NIC (and the order in which they are bound). It may also be that the clients time is out of sync with the LDAP server. Do you use RTP to keep time in sync? Are you up to date on your server support packs?