• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Windows Active Directory Timeout

Hello Everyone,

We have a backup software that is running an agent on a server using a domain admin account.  The agent is doing message level backups on the exchange store. We are noticing that the backups will fail with authentication failures.  Once we restart the service the backups will resume.  Any ideas?

Exchange Server 2003 SP2

 
0
TSRich02
Asked:
TSRich02
  • 5
  • 5
1 Solution
 
dmarinenkoCommented:
What software are you running?  Is it trying to check/verify the backup?  In exchange 2003 administrators do not have full access to individual mailboxes.  Sometimes it's easiest to create a Exchange Admin account and give them the appropriate rights.
0
 
TSRich02Author Commented:
I was not given the software name.  However, it is an offsite backup software who from what I am told does not have a great knowledge base.  

This account is a domain admin as well as an Exchange Admin.  The backup process will work fine (The backup is running continuous) and does so for a few days.  However out of no where the authentication failed errors start to be reported.  My thought was something is expiring the login since we can just restart the agent service and the backups will continue without problems for a while.  
0
 
dmarinenkoCommented:
What is thename of the agent service you are restarting?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
TSRich02Author Commented:
The service is Message-Level-Backup.  Are you thinking this maybe an issue with the software?  
0
 
dmarinenkoCommented:
Well here is where i am going with this, and one question can sort it out.  are you getting the authentication error in windows or through the program?  In other words, do you have even log errors?

If it is through the service I am sure they use some kind of encryption, the key may expire after a few days.

If you look in the event log and see errors what is the id and message?

0
 
TSRich02Author Commented:
That has been another challenge in this issue.  The Exchange server event logs don't go back in time to when some of these events took place so we do not know for sure that they do or do not appear on the Windows Event log.

The application records the error in its own event log as a System 0x80040E4D Error: Failed to search folders : Authentication failed.  
0
 
dmarinenkoCommented:
I would guess it has something to do with the kerberos time limit. I know a ticket is  good for 10 hours by default but will try and renew for 7 days.  I wonder if it isn't renewing?  Have you tried turning off the firewall?  Looking at any access errors in the security tab of event viewer at the time the issues start?

Does this account stay logged in all the time? Or just when it goes to back up. That could be the issue if it is continuously logged on.  

If it isn't continuously logged on then as an imperfect fix you could have the login run a script with a net stop and net start on the "Message-Level-Backup" service, that might work for you.  I wouldn't do it on the main administrator account though as that would be a pain, just whatever account is being used for this.  I am not 100% sure the script will run on a service login though, as opposed to an actual user login.  Never tried it for that type of a use.  That is a goofy issue if you had the name of the backup software/service you are using that may help.
0
 
TSRich02Author Commented:
I wish I had the system event logs for the time frame we noticed these errors.  However, we do not have any security logs for this time period.  

No firewall is running on this system.  This is not an interactive user just a program being launched under a domain / exchange admin account.  The process is always running as it does a continuous backup looking for any changes on any users mailbox and then sending them.  Think of it like BackupExec's mailbox level backup.  This service is constantly running so I am not sure if that is what you mean.  

Where can I check the timeout for kerberos timelimit?
0
 
dmarinenkoCommented:
There is an entire description and settings you can change here http://technet.microsoft.com/en-us/library/cc772815.aspx

One thing that might be the easiest though, if more of a hack then a fix.

Go into notebook, make a file with the following
Net stop whatever-service
Net start whatever-service

Save it as whatever.bat make sure to change it from saving as a text file to saving as all files

Then go to control panel and scheduler, have it run once a day at 3 in the morning, this would automate your stopping and starting of the service.
0
 
TSRich02Author Commented:
Thanks for providing as much help as you could.  I will try the net stop script to correct this.  Our goal was to understand why more than anything.  Thanks again!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now