Solved

Windows Active Directory Timeout

Posted on 2009-04-08
10
378 Views
Last Modified: 2012-05-06
Hello Everyone,

We have a backup software that is running an agent on a server using a domain admin account.  The agent is doing message level backups on the exchange store. We are noticing that the backups will fail with authentication failures.  Once we restart the service the backups will resume.  Any ideas?

Exchange Server 2003 SP2

 
0
Comment
Question by:TSRich02
  • 5
  • 5
10 Comments
 
LVL 8

Expert Comment

by:dmarinenko
Comment Utility
What software are you running?  Is it trying to check/verify the backup?  In exchange 2003 administrators do not have full access to individual mailboxes.  Sometimes it's easiest to create a Exchange Admin account and give them the appropriate rights.
0
 

Author Comment

by:TSRich02
Comment Utility
I was not given the software name.  However, it is an offsite backup software who from what I am told does not have a great knowledge base.  

This account is a domain admin as well as an Exchange Admin.  The backup process will work fine (The backup is running continuous) and does so for a few days.  However out of no where the authentication failed errors start to be reported.  My thought was something is expiring the login since we can just restart the agent service and the backups will continue without problems for a while.  
0
 
LVL 8

Expert Comment

by:dmarinenko
Comment Utility
What is thename of the agent service you are restarting?
0
 

Author Comment

by:TSRich02
Comment Utility
The service is Message-Level-Backup.  Are you thinking this maybe an issue with the software?  
0
 
LVL 8

Expert Comment

by:dmarinenko
Comment Utility
Well here is where i am going with this, and one question can sort it out.  are you getting the authentication error in windows or through the program?  In other words, do you have even log errors?

If it is through the service I am sure they use some kind of encryption, the key may expire after a few days.

If you look in the event log and see errors what is the id and message?

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:TSRich02
Comment Utility
That has been another challenge in this issue.  The Exchange server event logs don't go back in time to when some of these events took place so we do not know for sure that they do or do not appear on the Windows Event log.

The application records the error in its own event log as a System 0x80040E4D Error: Failed to search folders : Authentication failed.  
0
 
LVL 8

Expert Comment

by:dmarinenko
Comment Utility
I would guess it has something to do with the kerberos time limit. I know a ticket is  good for 10 hours by default but will try and renew for 7 days.  I wonder if it isn't renewing?  Have you tried turning off the firewall?  Looking at any access errors in the security tab of event viewer at the time the issues start?

Does this account stay logged in all the time? Or just when it goes to back up. That could be the issue if it is continuously logged on.  

If it isn't continuously logged on then as an imperfect fix you could have the login run a script with a net stop and net start on the "Message-Level-Backup" service, that might work for you.  I wouldn't do it on the main administrator account though as that would be a pain, just whatever account is being used for this.  I am not 100% sure the script will run on a service login though, as opposed to an actual user login.  Never tried it for that type of a use.  That is a goofy issue if you had the name of the backup software/service you are using that may help.
0
 

Author Comment

by:TSRich02
Comment Utility
I wish I had the system event logs for the time frame we noticed these errors.  However, we do not have any security logs for this time period.  

No firewall is running on this system.  This is not an interactive user just a program being launched under a domain / exchange admin account.  The process is always running as it does a continuous backup looking for any changes on any users mailbox and then sending them.  Think of it like BackupExec's mailbox level backup.  This service is constantly running so I am not sure if that is what you mean.  

Where can I check the timeout for kerberos timelimit?
0
 
LVL 8

Accepted Solution

by:
dmarinenko earned 500 total points
Comment Utility
There is an entire description and settings you can change here http://technet.microsoft.com/en-us/library/cc772815.aspx

One thing that might be the easiest though, if more of a hack then a fix.

Go into notebook, make a file with the following
Net stop whatever-service
Net start whatever-service

Save it as whatever.bat make sure to change it from saving as a text file to saving as all files

Then go to control panel and scheduler, have it run once a day at 3 in the morning, this would automate your stopping and starting of the service.
0
 

Author Closing Comment

by:TSRich02
Comment Utility
Thanks for providing as much help as you could.  I will try the net stop script to correct this.  Our goal was to understand why more than anything.  Thanks again!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now