Solved

Windows 2003 Server SBS stops accepting logins overnight, have to restart to log back in.

Posted on 2008-10-13
7
607 Views
Last Modified: 2012-05-05
Please help!  I have a client who has Windows 2003 Server SBS with SP2.  Starting last thursday morning, no one could login to Exchange, so I restarted the server and then everyone could log back in.  The same thing happened again Friday morning.  A restart fixed it again.  Guess what, this morning, the server was locked out again.  This time I couldn't even log on as Administrator.  

I checked the event viewer and there are loads of errors.  

This error comes up far more than any of the others:

10/13/2008      8:40:44 AM      KDC      Error      None      7      N/A      SERVER      The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was "username" and lookup type 0x0.

I can't figure out what the problem is to save my life.  There are other errors as well, such as this one:

10/13/2008      5:20:47 AM      W32Time      Warning      None      22      N/A      SERVER      The time provider NtpServer encountered an error while digitally signing the  NTP response for peer 192.168.1.3:123.  NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: A device attached to the system is not functioning. (0x8007001F)

If anyone has any idea what could be causing these problems, please let me know.  I have tried netdiag and everything passes.

Regards,
Brock
0
Comment
Question by:bmiller79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:ccns
ID: 22707364
have a look at this :
http://support.microsoft.com/default.aspx?scid=kb;en-us;321044
is this what is happening more or less try the resolution
0
 

Author Comment

by:bmiller79
ID: 22707435
That is not quite the error I am getting in the event log...  Why would this have started all of a sudden?  There were no changes to the network or PC's or any names...  
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22707632
You have probably heard that TIME is important to log into the domain. Now, I think you are experiencing this problem. So, it sounds like you need to straighten out time synchronization.

By default, the PDCe will synch the entire domain to itself. So, all you have to do is 1) make sure group policy is not overriding the default settings and then 2) synch the PDCe to an outside time source.
______________________________________________________________________________
1) Windows Time Service Group Policy Settings
You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations. What you want to do, is go back to the undefined settings of these group policies and let the time 2003 server synch as it would in its default configuration.

Computer Configuration\Administrative Templates\System\Windows Time Service
Configure Global Configuration Settings here.

Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers
Configure Windows NTP Client settings here.
Enable Windows NTP Client here.
Enable Windows NTP Server here.
_____________________________________________________________________________
2) To synch your PDCe to an outside time source you can download a free utility, called Symmtime: It will synch your system up to an outside time source automatically.

http://www.download.com/SymmTime/3000-2350_4-10219820.html

Symmtime was designed by Symmetricom. Symmetricom is a Time Server Manufacturer. It is very simple to configure, by right clicking the window for the clocks.  Many people love this program. In fact, here are a couple examples:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2000_Server/Q_23022137.html
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23176154.html

And the method I use for setting up Time:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22799695.html
________________________________________________________________________________
AS A BONUS))
Now that you have downloaded symetricom and disabled the time policies, things should work very well. But, you may want to audit this. To do so, there is a second utility called "LMcheck".

The LMCheck tool runs on either Windows NT4/2K/XP/2003/Vista/2008 32-bit systems or Windows XP/2003/Vista/2008 64-bit systems, although it can scan any machine running Microsoft Networking that responds to NetRemoteTOD queries.


   

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:bmiller79
ID: 22708257
ChiefIT,

Thank you for your detailed response!  I will work on these items right away.  

I am not sure that they are using group polcies at all???  But I'll check...

The only question I have is how would this start happening suddenly out of nowhere??  Is this possible?  Or is something else going on to cause this?  Again, I will try what you have recommended, but I wish I understood why it would happen in the first place.  Do you know?

Also, since this is a small office, this is the only server, so of course it is the PDC, and it has about 11 clients.  Its a pretty simple setup.  I just don't see why all of a sudden it would start doing this?  

I will let you know as soon as I have tried what you talked about it.  If it works, I will GLADLY give you the points!

Thank you,

Brock
0
 

Author Comment

by:bmiller79
ID: 22708326

I am not able to find the snap-in to cehck on the Windows Time service group policies??  
0
 

Author Comment

by:bmiller79
ID: 22708370
I setup and installed symmtime and LMcheck.  Everything is good there.  

It is telling me I should install domain time.  I have about half of the machines which are at least 1 minute out of sync.  I have no idea how to install "domain time".  I do see that they offer a product, but I really wanted to do this with out paying money, if possible.  

I still can't find the snap-in for windows time group policy control.  

Brock
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22708915
In my opinion, it is easiest to use GPMC (Group Policy Management Console) to administer Group policy.

Once downloaded, you can install the snapin to the MMC console or run it from administrative tools.

http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

In GPMC, you will find the default domain policy that I think will be the one you have to edit for the group policy changes. IP 192.168.1.3:123 is the IP address that your PDCe is trying to synch with. If that is the IP of your server, the server is trying to synch with itself. This is what is telling me there is a Group policy, as the default domain policy, pointing your clients and servers to the PDCe for time synchronization. The PDCe can't synch with itself for time or you will recieve errors.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question