MrxSmb Event 3034

C

Cameron Dorrough

Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron:)
 
M

Mike Rosado [MSFT]

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----
 
C

Cameron Dorrough

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any way to
do this from ADUC.

Thanks again.
Cameron:)

Mike Rosado said:
Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron:)
 
C

Cameron Dorrough

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any way to
do this from ADUC.

Thanks again.
Cameron:)

Mike Rosado said:
Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron:)
 
M

Mike Rosado [MSFT]

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any way to
do this from ADUC.

Thanks again.
Cameron:)

Mike Rosado said:
Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron:)
 
C

Cameron Dorrough

Thanks - I'll try that. :)

Mike Rosado said:
Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any
way
to
do this from ADUC.

Thanks again.
Cameron:)

Mike Rosado said:
Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security
Settings
/ value
is:
 
C

Cameron Dorrough

Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron:)

Mike Rosado said:
Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any
way
to
do this from ADUC.

Thanks again.
Cameron:)

Mike Rosado said:
Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security
Settings
/ value
is:
 
M

Mike Rosado [MSFT]

Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron:)

Mike Rosado said:
Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any
way
to
do this from ADUC.

Thanks again.
Cameron:)

Hi Cameron,

I'm by no means an expert in this subject matter of networking
and/or
GPO
issues, but I'll try to assist you to the best of my ability.
Here's
the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security
Settings
/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be
infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your
newsreader
so and
the
 
M

Mike Rosado [MSFT]

Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

IMPORTANT TO NOTE:
For general backup and restore of the Default Domain Policy and Default
Domain Controller Policy, and also for other GPOs, Microsoft recommends that
you use the Group Policy Management Console (GPMC) to create regular backups
of these GPOs. You can then use GPMC in conjunction with these backups to
restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron:)

Mike Rosado said:
Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any
way
to
do this from ADUC.

Thanks again.
Cameron:)

Hi Cameron,

I'm by no means an expert in this subject matter of networking
and/or
GPO
issues, but I'll try to assist you to the best of my ability.
Here's
the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security
Settings
/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be
infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your
newsreader
so and
the
 
C

Cameron Dorrough

Thanks, Mike - I've run the RecreateDefpol.exe tool and nothing seems to
have changed... (a logon cycle is all that is supposed to be required -
perhaps I need to reboot??)

Are you *sure* there is supposed to be a Kerberos Policy in the DDC Policy
as well as the Default Domain policy?

It's all very, very strange.. but thanks for all your help!

Cameron:)

Mike Rosado said:
Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

IMPORTANT TO NOTE:
For general backup and restore of the Default Domain Policy and Default
Domain Controller Policy, and also for other GPOs, Microsoft recommends that
you use the Group Policy Management Console (GPMC) to create regular backups
of these GPOs. You can then use GPMC in conjunction with these backups to
restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron:)

Mike Rosado said:
Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be
any
way
to
do this from ADUC.

Thanks again.
Cameron:)

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or
GPO
issues, but I'll try to assist you to the best of my ability. Here's
the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings
/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous
customer
had
reported having this virus. He tried to cleanup the machine but
did
not
rebuild it, which is what we recommend doing when you're known to be
infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Periodically our users complain of slow access to network shares and
the
above event gets logged on the server (W2k+SP4). The last DWORD value
is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail.
Anyone
know what I might try to fix this??

Thanks in advance,
Cameron:)
 
M

Mike Rosado [MSFT]

Cameron,

Yes, the Kerberos Policy does exist. See below. Maybe you should call
Microsoft Product Support Services and speak to a Support Engineer in the
Directory Services group.
[P.S. Kerberos policy is in the Default domain policy and not
Default Domain Controller policy]

- Expand "Computer Configuration" / Windows Settings / Security Settings
/ Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Cameron Dorrough said:
Thanks, Mike - I've run the RecreateDefpol.exe tool and nothing seems to
have changed... (a logon cycle is all that is supposed to be required -
perhaps I need to reboot??)

Are you *sure* there is supposed to be a Kerberos Policy in the DDC Policy
as well as the Default Domain policy?

It's all very, very strange.. but thanks for all your help!

Cameron:)

Mike Rosado said:
Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

IMPORTANT TO NOTE:
For general backup and restore of the Default Domain Policy and Default
Domain Controller Policy, and also for other GPOs, Microsoft recommends that
you use the Group Policy Management Console (GPMC) to create regular backups
of these GPOs. You can then use GPMC in conjunction with these backups to
restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----
on
a having
the
newsreader
so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the
Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any
way
to
do this from ADUC.

Thanks again.
Cameron:)

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or
GPO
issues, but I'll try to assist you to the best of my ability. Here's
the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of
c0000133,
it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur
if
the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the
following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy"
and
then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security
Settings
/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer
Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry
can
be
removed by one of the Nimda Virus variants as the previous customer
had
reported having this virus. He tried to cleanup the machine but did
not
rebuild it, which is what we recommend doing when you're known
to
be shares
and
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top