Solved

Windows Active Directory Timeout

Posted on 2009-04-08
10
390 Views
Last Modified: 2012-05-06
Hello Everyone,

We have a backup software that is running an agent on a server using a domain admin account.  The agent is doing message level backups on the exchange store. We are noticing that the backups will fail with authentication failures.  Once we restart the service the backups will resume.  Any ideas?

Exchange Server 2003 SP2

 
0
Comment
Question by:TSRich02
  • 5
  • 5
10 Comments
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099070
What software are you running?  Is it trying to check/verify the backup?  In exchange 2003 administrators do not have full access to individual mailboxes.  Sometimes it's easiest to create a Exchange Admin account and give them the appropriate rights.
0
 

Author Comment

by:TSRich02
ID: 24099127
I was not given the software name.  However, it is an offsite backup software who from what I am told does not have a great knowledge base.  

This account is a domain admin as well as an Exchange Admin.  The backup process will work fine (The backup is running continuous) and does so for a few days.  However out of no where the authentication failed errors start to be reported.  My thought was something is expiring the login since we can just restart the agent service and the backups will continue without problems for a while.  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099587
What is thename of the agent service you are restarting?
0
 

Author Comment

by:TSRich02
ID: 24099614
The service is Message-Level-Backup.  Are you thinking this maybe an issue with the software?  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24099992
Well here is where i am going with this, and one question can sort it out.  are you getting the authentication error in windows or through the program?  In other words, do you have even log errors?

If it is through the service I am sure they use some kind of encryption, the key may expire after a few days.

If you look in the event log and see errors what is the id and message?

0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:TSRich02
ID: 24100024
That has been another challenge in this issue.  The Exchange server event logs don't go back in time to when some of these events took place so we do not know for sure that they do or do not appear on the Windows Event log.

The application records the error in its own event log as a System 0x80040E4D Error: Failed to search folders : Authentication failed.  
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24100902
I would guess it has something to do with the kerberos time limit. I know a ticket is  good for 10 hours by default but will try and renew for 7 days.  I wonder if it isn't renewing?  Have you tried turning off the firewall?  Looking at any access errors in the security tab of event viewer at the time the issues start?

Does this account stay logged in all the time? Or just when it goes to back up. That could be the issue if it is continuously logged on.  

If it isn't continuously logged on then as an imperfect fix you could have the login run a script with a net stop and net start on the "Message-Level-Backup" service, that might work for you.  I wouldn't do it on the main administrator account though as that would be a pain, just whatever account is being used for this.  I am not 100% sure the script will run on a service login though, as opposed to an actual user login.  Never tried it for that type of a use.  That is a goofy issue if you had the name of the backup software/service you are using that may help.
0
 

Author Comment

by:TSRich02
ID: 24100944
I wish I had the system event logs for the time frame we noticed these errors.  However, we do not have any security logs for this time period.  

No firewall is running on this system.  This is not an interactive user just a program being launched under a domain / exchange admin account.  The process is always running as it does a continuous backup looking for any changes on any users mailbox and then sending them.  Think of it like BackupExec's mailbox level backup.  This service is constantly running so I am not sure if that is what you mean.  

Where can I check the timeout for kerberos timelimit?
0
 
LVL 8

Accepted Solution

by:
dmarinenko earned 500 total points
ID: 24101247
There is an entire description and settings you can change here http://technet.microsoft.com/en-us/library/cc772815.aspx

One thing that might be the easiest though, if more of a hack then a fix.

Go into notebook, make a file with the following
Net stop whatever-service
Net start whatever-service

Save it as whatever.bat make sure to change it from saving as a text file to saving as all files

Then go to control panel and scheduler, have it run once a day at 3 in the morning, this would automate your stopping and starting of the service.
0
 

Author Closing Comment

by:TSRich02
ID: 31568122
Thanks for providing as much help as you could.  I will try the net stop script to correct this.  Our goal was to understand why more than anything.  Thanks again!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now