We help IT Professionals succeed at work.

Kerberos Error Event ID 5

ipsbend
ipsbend asked
on
We are a SBS2003 SP2/Exchange 03 w/ XP clients environment. We are receiving the Event ID 5 error on our server for some of the clients in our network:
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      5
Date:            01/28/2008
Time:            8:04:21 AM
User:            N/A
Computer:      Server
Description:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server desktop05$.  This indicates that the ticket used against that server is not yet valid (in relationship to that server time).  Contact your system administrator  to make sure the client and server times are in sync, and that the KDC in realm domain.LOCAL is  in sync with the KDC in the client realm.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

In addition, all of our clients are getting the Event ID 29:
Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      29
Date:            1/27/2008
Time:            10:49:41 AM
User:            N/A
Computer:      desktop20
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 959 minutes. NtpClient has no source of accurate time.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm thinking it's a time service problem. The Windows time service is started on the server. I've tried using the "net time" command on the clients but it didn't work.

Can anyone help?
Comment
Watch Question

Principal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014
Commented:
ipsbend,

That's a good guess of what it is.  Run the following commands at a CMD prompt to configure your SBS with an authoritative time server that will work better for your network:

w32tm /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:MANUAL
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait

Then you can either rerun "w32tm /resync" on all of your workstations, or you can add the following line to your SBS_LOGIN_SCRIPT.bat file and it'll sync each workstation automatically at the next login:

net time \\<servername> /set /y

(replacing <servername> with your actual server's name)


Jeff
TechSoEasy

Author

Commented:
Hi, Jeff. About the external source, I don't know much about them. I didn't see the one you mentioned on the MS site: http://support.microsoft.com/default.aspx/kb/q262680/. I was wondering if there is a particular reason why you use pool.ntp.org or is it just personal preference?

Thx!
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
The advantage of pool.ntp.org is that you are using a cluster of over 500 servers (if in North America -- over 900 in Europe, etc.) so you never have a problem getting a connection.  

You can read more about it here:  http://www.pool.ntp.org

Since I've switched the servers I manage to using these I never have a problem at all with W32Time.

Jeff
TechSoEasy

Author

Commented:
One thing I will add to this: We had a GPO on the server that was overriding some of this configuration. Removing the settings from the GPO allowed this solution to work.