[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Windows Active Directory Timeout

Posted on 2009-04-08
10
Medium Priority
?
443 Views
Last Modified: 2012-05-06
Hello Everyone,

We have a backup software that is running an agent on a server using a domain admin account.  The agent is doing message level backups on the exchange store. We are noticing that the backups will fail with authentication failures.  Once we restart the service the backups will resume.  Any ideas?

Exchange Server 2003 SP2

 
0
Comment
Question by:TSRich02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099070
What software are you running?  Is it trying to check/verify the backup?  In exchange 2003 administrators do not have full access to individual mailboxes.  Sometimes it's easiest to create a Exchange Admin account and give them the appropriate rights.
0
 

Author Comment

by:TSRich02
ID: 24099127
I was not given the software name.  However, it is an offsite backup software who from what I am told does not have a great knowledge base.  

This account is a domain admin as well as an Exchange Admin.  The backup process will work fine (The backup is running continuous) and does so for a few days.  However out of no where the authentication failed errors start to be reported.  My thought was something is expiring the login since we can just restart the agent service and the backups will continue without problems for a while.  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099587
What is thename of the agent service you are restarting?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:TSRich02
ID: 24099614
The service is Message-Level-Backup.  Are you thinking this maybe an issue with the software?  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099992
Well here is where i am going with this, and one question can sort it out.  are you getting the authentication error in windows or through the program?  In other words, do you have even log errors?

If it is through the service I am sure they use some kind of encryption, the key may expire after a few days.

If you look in the event log and see errors what is the id and message?

0
 

Author Comment

by:TSRich02
ID: 24100024
That has been another challenge in this issue.  The Exchange server event logs don't go back in time to when some of these events took place so we do not know for sure that they do or do not appear on the Windows Event log.

The application records the error in its own event log as a System 0x80040E4D Error: Failed to search folders : Authentication failed.  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24100902
I would guess it has something to do with the kerberos time limit. I know a ticket is  good for 10 hours by default but will try and renew for 7 days.  I wonder if it isn't renewing?  Have you tried turning off the firewall?  Looking at any access errors in the security tab of event viewer at the time the issues start?

Does this account stay logged in all the time? Or just when it goes to back up. That could be the issue if it is continuously logged on.  

If it isn't continuously logged on then as an imperfect fix you could have the login run a script with a net stop and net start on the "Message-Level-Backup" service, that might work for you.  I wouldn't do it on the main administrator account though as that would be a pain, just whatever account is being used for this.  I am not 100% sure the script will run on a service login though, as opposed to an actual user login.  Never tried it for that type of a use.  That is a goofy issue if you had the name of the backup software/service you are using that may help.
0
 

Author Comment

by:TSRich02
ID: 24100944
I wish I had the system event logs for the time frame we noticed these errors.  However, we do not have any security logs for this time period.  

No firewall is running on this system.  This is not an interactive user just a program being launched under a domain / exchange admin account.  The process is always running as it does a continuous backup looking for any changes on any users mailbox and then sending them.  Think of it like BackupExec's mailbox level backup.  This service is constantly running so I am not sure if that is what you mean.  

Where can I check the timeout for kerberos timelimit?
0
 
LVL 8

Accepted Solution

by:
dmarinenko earned 2000 total points
ID: 24101247
There is an entire description and settings you can change here http://technet.microsoft.com/en-us/library/cc772815.aspx

One thing that might be the easiest though, if more of a hack then a fix.

Go into notebook, make a file with the following
Net stop whatever-service
Net start whatever-service

Save it as whatever.bat make sure to change it from saving as a text file to saving as all files

Then go to control panel and scheduler, have it run once a day at 3 in the morning, this would automate your stopping and starting of the service.
0
 

Author Closing Comment

by:TSRich02
ID: 31568122
Thanks for providing as much help as you could.  I will try the net stop script to correct this.  Our goal was to understand why more than anything.  Thanks again!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question