?
Solved

Windows Active Directory Timeout

Posted on 2009-04-08
10
Medium Priority
?
430 Views
Last Modified: 2012-05-06
Hello Everyone,

We have a backup software that is running an agent on a server using a domain admin account.  The agent is doing message level backups on the exchange store. We are noticing that the backups will fail with authentication failures.  Once we restart the service the backups will resume.  Any ideas?

Exchange Server 2003 SP2

 
0
Comment
Question by:TSRich02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099070
What software are you running?  Is it trying to check/verify the backup?  In exchange 2003 administrators do not have full access to individual mailboxes.  Sometimes it's easiest to create a Exchange Admin account and give them the appropriate rights.
0
 

Author Comment

by:TSRich02
ID: 24099127
I was not given the software name.  However, it is an offsite backup software who from what I am told does not have a great knowledge base.  

This account is a domain admin as well as an Exchange Admin.  The backup process will work fine (The backup is running continuous) and does so for a few days.  However out of no where the authentication failed errors start to be reported.  My thought was something is expiring the login since we can just restart the agent service and the backups will continue without problems for a while.  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099587
What is thename of the agent service you are restarting?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:TSRich02
ID: 24099614
The service is Message-Level-Backup.  Are you thinking this maybe an issue with the software?  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099992
Well here is where i am going with this, and one question can sort it out.  are you getting the authentication error in windows or through the program?  In other words, do you have even log errors?

If it is through the service I am sure they use some kind of encryption, the key may expire after a few days.

If you look in the event log and see errors what is the id and message?

0
 

Author Comment

by:TSRich02
ID: 24100024
That has been another challenge in this issue.  The Exchange server event logs don't go back in time to when some of these events took place so we do not know for sure that they do or do not appear on the Windows Event log.

The application records the error in its own event log as a System 0x80040E4D Error: Failed to search folders : Authentication failed.  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24100902
I would guess it has something to do with the kerberos time limit. I know a ticket is  good for 10 hours by default but will try and renew for 7 days.  I wonder if it isn't renewing?  Have you tried turning off the firewall?  Looking at any access errors in the security tab of event viewer at the time the issues start?

Does this account stay logged in all the time? Or just when it goes to back up. That could be the issue if it is continuously logged on.  

If it isn't continuously logged on then as an imperfect fix you could have the login run a script with a net stop and net start on the "Message-Level-Backup" service, that might work for you.  I wouldn't do it on the main administrator account though as that would be a pain, just whatever account is being used for this.  I am not 100% sure the script will run on a service login though, as opposed to an actual user login.  Never tried it for that type of a use.  That is a goofy issue if you had the name of the backup software/service you are using that may help.
0
 

Author Comment

by:TSRich02
ID: 24100944
I wish I had the system event logs for the time frame we noticed these errors.  However, we do not have any security logs for this time period.  

No firewall is running on this system.  This is not an interactive user just a program being launched under a domain / exchange admin account.  The process is always running as it does a continuous backup looking for any changes on any users mailbox and then sending them.  Think of it like BackupExec's mailbox level backup.  This service is constantly running so I am not sure if that is what you mean.  

Where can I check the timeout for kerberos timelimit?
0
 
LVL 8

Accepted Solution

by:
dmarinenko earned 2000 total points
ID: 24101247
There is an entire description and settings you can change here http://technet.microsoft.com/en-us/library/cc772815.aspx

One thing that might be the easiest though, if more of a hack then a fix.

Go into notebook, make a file with the following
Net stop whatever-service
Net start whatever-service

Save it as whatever.bat make sure to change it from saving as a text file to saving as all files

Then go to control panel and scheduler, have it run once a day at 3 in the morning, this would automate your stopping and starting of the service.
0
 

Author Closing Comment

by:TSRich02
ID: 31568122
Thanks for providing as much help as you could.  I will try the net stop script to correct this.  Our goal was to understand why more than anything.  Thanks again!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses
Course of the Month15 days, 17 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question