Random group policy errors, KCC, DNS; TIME or network problem?

Taevalaotus used Ask the Experts™
We are running site with 2 DC both GC enabled, and about 150 xp pro machines with sp3 still in mixed 2000-2003 enviroment.
DNS is AD based and is configured on both machines, LAN IP pointing to servers only IP address.
(no multihomed network)
PDC emulator have DHCP, WINS and FSMO roles configured

Clients give random errors while processing gpolicy.
Typical scenario:
event id: 1030 and 1097 in applog: source userenv:  Windows cannot find the machine account, The Local Security Authority cannot be contacted

system event id: 7 on clients : The kerberos subsystem encountered a PAC verification failure.  This indicates that the PAC from the client machinename$ in realm ourdomain.com had a PAC which failed to verify or was modified.  Contact your system administrator.

at boot or timeservice will not syncronize ntp at least 2-5 minutes. later gives also random errors

netdiag + runs without any error on DC

DCdiag passes all tests but those :
Starting test: kccevent
   An Warning Event occured.  EventID: 0x800004C0
      Time Generated: 04/28/2010   01:21:40
      Event String: Internal event: An LDAP client connection was closed
   ......................... OURSERVER failed test kccevent
Starting test: systemlog
   An Error Event occured.  EventID: 0xC0002719
      Time Generated: 04/28/2010   01:23:34
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0xC0002719
      Time Generated: 04/28/2010   01:24:17
      (Event String could not be retrieved)
   ......................... OURSERVER failed test systemlog

KCC event is connected somehow to exchange query to LDAP, and have not found on google should it be trated or not.

what have allready done:

verified DNS, works, responds, knows machines, registeres zones.
at the same time- nslookup query from xp client gives sometimes timeout errors , when waiting response from dns.
DHCP is configured and registers in DNS PTR records. lease time is 1 hour. XP machines NTP is configured to get time from DC, DC itself get time from secondary startum server source.
verified WINS

checked SYSVOL share, permissions, and netlogon service as  such.- no errors

for solving machine account- have removed em from domain and rejoined... soon errors will be back and gp processing will fail again. and again machine accounts ar enot found

all those errors affect clients from all network segments (servers are in sepparate lan segment) and each client segment is connected to server segment via router. DHCP uses IP helper address. pingtime to servers (DC, DNS; DHCP) is less than 1ms

worst is, that all those symptoms are random.
failure to get DC info may be 2 minutes and then week is all ok for one machine, whilst other machine have problem same time on same lan segment.and then viceversa, first one turns automagically to normal state, get all policy updates but some other machine fails.

My questions:
1. IF DNS is ok by all available tests and resolves all kind of queries, why is it' getting those timeout errors from client side?
2. How to resolve xp clients NTP errors, wich ones are in pair with kcc events- reason obviosly- machines do not find DC in time or get acsess denied. Sma time DNS responds.
3. can it be routers issue, accesslist on routers or smth?

4. not issued yet possibility, that NOD32 v4 antivirus affects somehow netlogon

Anyway, if you have any idea, how to track this random errors down and make policyies work reliably, any help will be very apprechiated.

Sorry for bad english


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

You don't say how you have configured the clients for SNTP server.  The clients should automatically be pointed to the PDC emulator however you shoud verify that with NET TIME /QUERYSNTP.

You can specify the server you want the clients to use with NET TIME /SETSNTP:serverIP

Make sure that your firewalls have UDP port 123 open as that is what is used by Windows Time Service.


According to microsoft Domain Controller itself autoannounces itself as reliable time server, via registry announce flag A or also 5 (just different reliable time server bitflags). Because XP client is set to configure time automaticly, in domain enviroment it asks time from PDC.

UDP 123 is open on routers and it is used, but for reason unknown, sometimes clients fail query from PDC and PDC itself have one day failed query from NTP server. Time server source on PDC is specified as dns name, not IP, (ntp server have 2 IP-s)

I can set those settings also via GP registry settings, but am bit confused, what source to specify to laptops, because they have often outside domain network and then query to pdc will fail.
Also, because timeserver may be part of failure reason when applying policy, this configuration may fail also. (remember, policies are not working reliable).

For your laptops I would set them to time.windows.com (Windows default) or to use the US Navy Atomic clock tock.usno.navy.mil.
found good article, witch helped to solve problem:


kdc service on win2000 dc was zombie...
case closed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial