Log on issues and time sync

  • Thread starter Thread starter Marc O
  • Start date Start date
M

Marc O

HELP!!!
I have a problem with my clients being able to log on to my Win2k AD domain.
Different clients will intermittenly get a message when they try and log on
that they can not log on due to a client/server time differnce.
Here is some background info:
Win2k AD domain w/ 2 DCs
DC1 is exchange2k/FSMO/Global Catalog/first DC in the domain/DNS/WINS etc.
DC2--is just a DC/Global Catalog/DNS
Clients are a mixture of 2kPro/XP Pro/ 98se-- only the 2k and XP machines
seem to be effected.
DC1 is syncing it's time to a stratum 2 time server and is the sntp server
for the domain. DC2 uses DC1 for sntp as do the rest of the cleints.
Everyday when trying to log into DC2 I will get the message about the time
difference and will not be able to log in to it. When this happens clients
who try and authenticate against this DC2 are denied w/ a warning about time
difference. If I use the Computer management MMC and I restart the Windows
Time Service and the Kerberos service, users can log on again. But it seems
that I need to do this every x number of hours. I have read and reread all
the KBs regarding time and I can't seem to lick this one. It seems that most
clients in the domain when running 'net time' return the value of 'Current
time at \\DC2 is x/x/xxxx x:xx AM'. y users are starting to hunt for my
head every morning so any help would be greatly appreciated I am lost.

Thanks in advance
marc o.
 
OK, the Win98 boxes aren't affected because they don't use Kerberos authentication -only 2k and higher use Kerberos; everything else (Windows wise) uses some form of LANMan

It looks like quite a straight forward case of why this is happening -DC is falling out of sync with the domain. The burning question is how to resolve it

Before anything, as an interim fix, I would write a script that you can periodiclly run that does this on DC2

net time \\dc1 /set /

Now, to find out why it's losing time so much? Could be an issue with your CMOS battery... However, are you encountering any replication or communication problems between DCs? Are they physically segragated? Check the logs and report back..

Paul
____________________________
----- Marc O wrote: ----

HELP!!
I have a problem with my clients being able to log on to my Win2k AD domain
Different clients will intermittenly get a message when they try and log o
that they can not log on due to a client/server time differnce
Here is some background info
Win2k AD domain w/ 2 DC
DC1 is exchange2k/FSMO/Global Catalog/first DC in the domain/DNS/WINS etc
DC2--is just a DC/Global Catalog/DN
Clients are a mixture of 2kPro/XP Pro/ 98se-- only the 2k and XP machine
seem to be effected
DC1 is syncing it's time to a stratum 2 time server and is the sntp serve
for the domain. DC2 uses DC1 for sntp as do the rest of the cleints
Everyday when trying to log into DC2 I will get the message about the tim
difference and will not be able to log in to it. When this happens client
who try and authenticate against this DC2 are denied w/ a warning about tim
difference. If I use the Computer management MMC and I restart the Window
Time Service and the Kerberos service, users can log on again. But it seem
that I need to do this every x number of hours. I have read and reread al
the KBs regarding time and I can't seem to lick this one. It seems that mos
clients in the domain when running 'net time' return the value of 'Curren
time at \\DC2 is x/x/xxxx x:xx AM'. y users are starting to hunt for m
head every morning so any help would be greatly appreciated I am lost

Thanks in advanc
marc o
 
Thanks Paul,

Here is where I am at:
I have scanned the logs on both DCs and here are the dodgy ones:

--(DC2)Directory Srv Logs have a NTDS Rep Warning Categorey Replication Event ID 1586
The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: There is a time difference between the client and server.

This started on the 27th of May and occurs 3x a day until 6/1/04 when it stops happening
--(DC2) Directory Srv Logs have a NTDS Rep Warning Categorey Replication
Replication warning: The directory is busy. It couldn't update object CN=XXXXX,OU=CodeSecuredUsers,OU=Code,DC=XXXXXXXX,DC=com with changes made by directory fb4de3b5-dd67-49d2-9417-f320d91d58c6._msdcs.XXXXXXXXXXX. Will try again later.
This happened twice on 6/9/04

--(DC2) File Rep Srv There have been a mixture of Event ID 13562 and 13567s logged about not being able to bind to a Domain controller. They started on 05/04/04 end staopped happening on 06/04/04

--(DC2) Intermittent W32Time errors event ID 11
The NTP server didn't respond

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13509
The File Replication Service has enabled replication from HADES to EXCHANGE for d:\winnt\sysvol\domain after repeated retries. This happened on 6/4/04

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13508
The File Replication Service is having trouble enabling replication from HADES to EXCHANGE for d:\winnt\sysvol\domain using the DNS name hades.XXXXX.COM. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name hades.XXXXXX.COM from this computer. [2] FRS is not running on hades.XXXXXXX.COM. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. This happened on 06/04/04

--(DC1) Various times there have been W32Time errors event ID 11

I thought the same thing about the BIOS time but everytime I check it is right on the money(for kerberos at least). The only rep errors are the ones above the are on the same subnet attached to the same switch.

What now, LOL?

Thanks
 
Without looking at the errors in much depth, I'll throw in a few suggestions. I'll also recommend a look at www.eventid.net. Search for your event there and see what others have discovered.

Anyway, this is probably a DNS error. Point both DC1 and DC2 to the DNS server on DC1, and perform the following on both DCs:

C:\>ipconfig /flushdns
C:\>net stop netlogon
C:\>net start netlogon
C:\>ipconfig /registerdns

Go make a cup of coffee.

Now wait and see if these errors re-occur. If you don't fancy waiting, or don't like coffee force immediate replication via Sites & Services.

What mode are you running in? Mixed or native?


Paul.
_________________________________
Thanks Paul,

Here is where I am at:
I have scanned the logs on both DCs and here are the dodgy ones:

--(DC2)Directory Srv Logs have a NTDS Rep Warning Categorey Replication Event ID 1586
The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: There is a time difference between the client and server.

This started on the 27th of May and occurs 3x a day until 6/1/04 when it stops happening
--(DC2) Directory Srv Logs have a NTDS Rep Warning Categorey Replication
Replication warning: The directory is busy. It couldn't update object CN=XXXXX,OU=CodeSecuredUsers,OU=Code,DC=XXXXXXXX,DC=com with changes made by directory fb4de3b5-dd67-49d2-9417-f320d91d58c6._msdcs.XXXXXXXXXXX. Will try again later.
This happened twice on 6/9/04

--(DC2) File Rep Srv There have been a mixture of Event ID 13562 and 13567s logged about not being able to bind to a Domain controller. They started on 05/04/04 end staopped happening on 06/04/04

--(DC2) Intermittent W32Time errors event ID 11
The NTP server didn't respond

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13509
The File Replication Service has enabled replication from HADES to EXCHANGE for d:\winnt\sysvol\domain after repeated retries. This happened on 6/4/04

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13508
The File Replication Service is having trouble enabling replication from HADES to EXCHANGE for d:\winnt\sysvol\domain using the DNS name hades.XXXXX.COM. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name hades.XXXXXX.COM from this computer. [2] FRS is not running on hades.XXXXXXX.COM. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. This happened on 06/04/04

--(DC1) Various times there have been W32Time errors event ID 11

I thought the same thing about the BIOS time but everytime I check it is right on the money(for kerberos at least). The only rep errors are the ones above the are on the same subnet attached to the same switch.

What now, LOL?

Thanks
 
Thanks Pual,
Both DCs point to DC1 for DNS, I ran the the statements you listed forced a rep. and no significant problems arose. I am currently running in mixed mode, which is the way I inherited this network. We have no exchange 5.5, and all 2k or 2k3 servers, but a few straggling 98SE clients, will a switch to native cause any problems or do any thing better?
Had to clients this morning tell me of the inability to logon due to time differnce error, but again if I use the computer management mmc and restart Windows time and the KDC they are ok.

I will report back thanks again for all the help.
Without looking at the errors in much depth, I'll throw in a few suggestions. I'll also recommend a look at www.eventid.net. Search for your event there and see what others have discovered.

Anyway, this is probably a DNS error. Point both DC1 and DC2 to the DNS server on DC1, and perform the following on both DCs:

C:\>ipconfig /flushdns
C:\>net stop netlogon
C:\>net start netlogon
C:\>ipconfig /registerdns

Go make a cup of coffee.

Now wait and see if these errors re-occur. If you don't fancy waiting, or don't like coffee force immediate replication via Sites & Services.

What mode are you running in? Mixed or native?


Paul.
_________________________________
Thanks Paul,

Here is where I am at:
I have scanned the logs on both DCs and here are the dodgy ones:

--(DC2)Directory Srv Logs have a NTDS Rep Warning Categorey Replication Event ID 1586
The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: There is a time difference between the client and server.

This started on the 27th of May and occurs 3x a day until 6/1/04 when it stops happening
--(DC2) Directory Srv Logs have a NTDS Rep Warning Categorey Replication
Replication warning: The directory is busy. It couldn't update object CN=XXXXX,OU=CodeSecuredUsers,OU=Code,DC=XXXXXXXX,DC=com with changes made by directory fb4de3b5-dd67-49d2-9417-f320d91d58c6._msdcs.XXXXXXXXXXX. Will try again later.
This happened twice on 6/9/04

--(DC2) File Rep Srv There have been a mixture of Event ID 13562 and 13567s logged about not being able to bind to a Domain controller. They started on 05/04/04 end staopped happening on 06/04/04

--(DC2) Intermittent W32Time errors event ID 11
The NTP server didn't respond

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13509
The File Replication Service has enabled replication from HADES to EXCHANGE for d:\winnt\sysvol\domain after repeated retries. This happened on 6/4/04

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13508
The File Replication Service is having trouble enabling replication from HADES to EXCHANGE for d:\winnt\sysvol\domain using the DNS name hades.XXXXX.COM. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name hades.XXXXXX.COM from this computer. [2] FRS is not running on hades.XXXXXXX.COM. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. This happened on 06/04/04

--(DC1) Various times there have been W32Time errors event ID 11

I thought the same thing about the BIOS time but everytime I check it is right on the money(for kerberos at least). The only rep errors are the ones above the are on the same subnet attached to the same switch.

What now, LOL?

Thanks
 
One other thing I just discovered.
When I use the plication monitor and right click DC1(PDC emul.) and go to properties and look in the 'Server Flags' tab it says the Time service isnt running. So I started he service again, ran ''w32tm /monitor' from my XP workstation I saw DC1 updated itself by .93 ms. But then the service some how stopped again I restarted it and I am waiting. Any thoughts?
Thanks Pual,
Both DCs point to DC1 for DNS, I ran the the statements you listed forced a rep. and no significant problems arose. I am currently running in mixed mode, which is the way I inherited this network. We have no exchange 5.5, and all 2k or 2k3 servers, but a few straggling 98SE clients, will a switch to native cause any problems or do any thing better?
Had to clients this morning tell me of the inability to logon due to time differnce error, but again if I use the computer management mmc and restart Windows time and the KDC they are ok.

I will report back thanks again for all the help.
Without looking at the errors in much depth, I'll throw in a few suggestions. I'll also recommend a look at www.eventid.net. Search for your event there and see what others have discovered.

Anyway, this is probably a DNS error. Point both DC1 and DC2 to the DNS server on DC1, and perform the following on both DCs:

C:\>ipconfig /flushdns
C:\>net stop netlogon
C:\>net start netlogon
C:\>ipconfig /registerdns

Go make a cup of coffee.

Now wait and see if these errors re-occur. If you don't fancy waiting, or don't like coffee force immediate replication via Sites & Services.

What mode are you running in? Mixed or native?


Paul.
_________________________________
Thanks Paul,

Here is where I am at:
I have scanned the logs on both DCs and here are the dodgy ones:

--(DC2)Directory Srv Logs have a NTDS Rep Warning Categorey Replication Event ID 1586
The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: There is a time difference between the client and server.

This started on the 27th of May and occurs 3x a day until 6/1/04 when it stops happening
--(DC2) Directory Srv Logs have a NTDS Rep Warning Categorey Replication
Replication warning: The directory is busy. It couldn't update object CN=XXXXX,OU=CodeSecuredUsers,OU=Code,DC=XXXXXXXX,DC=com with changes made by directory fb4de3b5-dd67-49d2-9417-f320d91d58c6._msdcs.XXXXXXXXXXX. Will try again later.
This happened twice on 6/9/04

--(DC2) File Rep Srv There have been a mixture of Event ID 13562 and 13567s logged about not being able to bind to a Domain controller. They started on 05/04/04 end staopped happening on 06/04/04

--(DC2) Intermittent W32Time errors event ID 11
The NTP server didn't respond

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13509
The File Replication Service has enabled replication from HADES to EXCHANGE for d:\winnt\sysvol\domain after repeated retries. This happened on 6/4/04

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13508
The File Replication Service is having trouble enabling replication from HADES to EXCHANGE for d:\winnt\sysvol\domain using the DNS name hades.XXXXX.COM. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name hades.XXXXXX.COM from this computer. [2] FRS is not running on hades.XXXXXXX.COM. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. This happened on 06/04/04

--(DC1) Various times there have been W32Time errors event ID 11

I thought the same thing about the BIOS time but everytime I check it is right on the money(for kerberos at least). The only rep errors are the ones above the are on the same subnet attached to the same switch.

What now, LOL?

Thanks
 
A couple of thoughts.

Firstly, update to Native Mode -it wont affect the Win98 clients, and makes sense as there are no NT DCs. I also, don't like the look of the NT4 -lie error you mentioned. Perhaps making the switch will help.

I can't see why the time service is stopping! Can you try and sync with another external source?? Aside from all of the time errors, are seeing anything suspicious in the event logs?

If it isn't already, you could try configuring the w32time service to autorestart if it stops.

Post back your results. This is most interesting...


Paul.
_____________________________
One other thing I just discovered.
When I use the plication monitor and right click DC1(PDC emul.) and go to properties and look in the 'Server Flags' tab it says the Time service isnt running. So I started he service again, ran ''w32tm /monitor' from my XP workstation I saw DC1 updated itself by .93 ms. But then the service some how stopped again I restarted it and I am waiting. Any thoughts?
Thanks Pual,
Both DCs point to DC1 for DNS, I ran the the statements you listed forced a rep. and no significant problems arose. I am currently running in mixed mode, which is the way I inherited this network. We have no exchange 5.5, and all 2k or 2k3 servers, but a few straggling 98SE clients, will a switch to native cause any problems or do any thing better?
Had to clients this morning tell me of the inability to logon due to time differnce error, but again if I use the computer management mmc and restart Windows time and the KDC they are ok.

I will report back thanks again for all the help.
Without looking at the errors in much depth, I'll throw in a few suggestions. I'll also recommend a look at www.eventid.net. Search for your event there and see what others have discovered.

Anyway, this is probably a DNS error. Point both DC1 and DC2 to the DNS server on DC1, and perform the following on both DCs:

C:\>ipconfig /flushdns
C:\>net stop netlogon
C:\>net start netlogon
C:\>ipconfig /registerdns

Go make a cup of coffee.

Now wait and see if these errors re-occur. If you don't fancy waiting, or don't like coffee force immediate replication via Sites & Services.

What mode are you running in? Mixed or native?


Paul.
_________________________________
Thanks Paul,

Here is where I am at:
I have scanned the logs on both DCs and here are the dodgy ones:

--(DC2)Directory Srv Logs have a NTDS Rep Warning Categorey Replication Event ID 1586
The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: There is a time difference between the client and server.

This started on the 27th of May and occurs 3x a day until 6/1/04 when it stops happening
--(DC2) Directory Srv Logs have a NTDS Rep Warning Categorey Replication
Replication warning: The directory is busy. It couldn't update object CN=XXXXX,OU=CodeSecuredUsers,OU=Code,DC=XXXXXXXX,DC=com with changes made by directory fb4de3b5-dd67-49d2-9417-f320d91d58c6._msdcs.XXXXXXXXXXX. Will try again later.
This happened twice on 6/9/04

--(DC2) File Rep Srv There have been a mixture of Event ID 13562 and 13567s logged about not being able to bind to a Domain controller. They started on 05/04/04 end staopped happening on 06/04/04

--(DC2) Intermittent W32Time errors event ID 11
The NTP server didn't respond

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13509
The File Replication Service has enabled replication from HADES to EXCHANGE for d:\winnt\sysvol\domain after repeated retries. This happened on 6/4/04

--(DC1) File Rep Srv Source Ntfrs Warning Event ID 13508
The File Replication Service is having trouble enabling replication from HADES to EXCHANGE for d:\winnt\sysvol\domain using the DNS name hades.XXXXX.COM. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name hades.XXXXXX.COM from this computer. [2] FRS is not running on hades.XXXXXXX.COM. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. This happened on 06/04/04

--(DC1) Various times there have been W32Time errors event ID 11

I thought the same thing about the BIOS time but everytime I check it is right on the money(for kerberos at least). The only rep errors are the ones above the are on the same subnet attached to the same switch.

What now, LOL?

Thanks
 
Back
Top