Re: Login and Time Sync Issues

I have emailed you to netmon trc files that demonstrate problems with remote file system access.
The time sync problem are gone away.
I was not running TCP for Kerberos before the system change, so hopefully that has not become a problem.


The Event IDs 40960 and 5 were on the SBS Server and ONLY when the other DC was offline. They are not there now.

Everything about the SBS system is working other than its ability to communicate with the rest of the domain. Pings etc are
working only things that require authentication are not working. Could there be an issue with AD 'keys' that might have changed
when it was offline and they did not properly resync.

Just one other strange thing.
When I restarted the first time after the hardware change, it told me I had 3 days to reactivate. I said no. After the 3 or 4
reboot, the 3 days window was gone and it forced activation. Seems to me there might have been some sort of clock issue in this.
Could that have messed up AD?

On Thu, 17 Nov 2005 03:53:15 GMT, v-branee@xxxxxxxxxxxxxxxxxxxx ("Brandy Nee [MSFT]") wrote:

>Hello Roy,
>
>Thank you for posting to the SBS Newsgroup.
>
>I understand that are experiencing many issues. Please understand that we
>need to troubleshoot issues one by one. Please perform my following
>suggestions first. If the issue persists, let's gather more error
>information for further troubleshooting:
>
>================
>
>Suggestions:
>
>1. I strongly suggest that we rerun the Configure E-mail and Internet
>Connection Wizard on the SBS 2K3 Server to make sure that the TCP/IP
>configuration on the SBS Server is correct. Please strict following detail
>steps in the KB article below.
>
>825763 How to configure Internet access in Windows Small Business Server
>2003
>http://support.microsoft.com/?id=825763
>
>The TCP/IP Configuration on SBS server should be
>
>External NIC:
>
>IP: assigned by your ISP or your hardware router
>Gateway: your ISP or your Hardware router IP
>DNS: SBS INTERNAL NIC IP as the only entry
>
>Internal NIC:
>
>IP: Fixed IP
>Gateway: None
>DNS: SBS INTERNAL NIC IP as the only entry
>
>In the DNS console (dnsmgmt.msc), right click your ServerName and click
>properties. In the Forwarders tab, your ISP DNS server IP should be
>inputted there.
>
>The TCP/IP Configuration on workstation:
>
>IP: Assigned by DHCP on SBS
>Gateway: SBS internal NIC IP
>DNS: SBS INTERNAL NIC IP as the only entry
>
>2. Regarding the issue "In the case of trying to use a share on the member
>Win2k system from the SBS system, I get the errorthat says 'This server's
>clock is not sync'd with the domain's PDC'.", please see my suggestions:
>
>I assume that you have the error message on the SBS 2K3 Server. If I am
>wrong, please do let me know.
>
>Log in the Windows 2000 Server as Administrator, check the "Windows time"
>service in the service list. Make sure this Service is set to automatic
>start and it has been started. Double click on the time icon in the task
>bar. Click "Time Zone" from the tab. Adjust the time zone to make sure it
>is same with time zone on the SBS 2K3 Server.
>
>3. The issue can occur also due to a limitation on the UDP packet size when
>Windows Kerberos Authentication package is using UDP. The article below
>provides information about changing the Kerberos configuration so it will
>use TCP instead of UDP:
>
>244474 How to Force Kerberos to Use TCP Instead of UDP
>http://support.microsoft.com/?id=244474
>
>=====================
>
>Gather error information:
>
>If the issue persists, please help to gather following error information
>for us to further research:
>
>[Note]: Please do not edit or delete any error information, we need the
>EXACT error information for accurate research.
>
>1. On the SBS server, run "eventvwr" (without quotation marks), check
>whether there is any error. If yes, double click it, click the Copy button
>and paste the full content to the Newsgroup.
>
>2. Open a command window on SBS 2K3 Server and one of the problematic
>client workstation, type "ipconfig /all" (without quotation marks), copy
>and paste the full result to the Newsgroup.
>
>3. Please capture a screen shot for the error message "This server's clock
>is not sync'd with the domain's PDC" and send it to my mailbox:
>v-branee@xxxxxxxxxxxxxx
>
>4. Which server did you get Event IDs 40960 and 5?
>
>5. You mentioned "Took about 10 mins to get through setting network
>connections. Never did get logged in.", I have following questions:
>
>a. Did you meet any error message when you trying to log in client
>workstation? If yes, please type the error message word by word to me.
>
>b. Can you log in as local administrator? If yes, run "eventvwr" (without
>quotation marks), check whether there is any error. If yes, double click
>it, click the Copy button and paste the full content to me.
>
>c. Can you log in the other client workstations?
>
>Please take your time to perform the steps above and collect the
>information for us to troubleshoot your issue. If anything is unclear,
>please feel free to let me know. I am looking forward to hearing from you!
>
>Best regards,
>
>Brandy Nee
>
>Microsoft CSS Online Newsgroup Support
>
>Get Secure! - www.microsoft.com/security
>======================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
>When opening a new thread via the web interface, we recommend you check the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>======================================================
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>--------------------
>>From: Roy Chastain <roy@xxxxxxxxx>
>>Subject: Login and Time Sync Issues
>>Date: Wed, 16 Nov 2005 07:04:41 -0500
>>Organization: KMSYS Worldwide, Inc.
>>Reply-To: roy@xxxxxxxxx
>>Message-ID: <528mn19gleluvmuest3bdktrqmk8lhoepg@xxxxxxx>
>>X-Newsreader: Forte Agent 3.0/32.763
>>MIME-Version: 1.0
>>Content-Type: text/plain; charset=us-ascii
>>Content-Transfer-Encoding: 7bit
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: www.kmsys.com 66.20.246.162
>>Lines: 1
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:222775
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>I have a SBS 2003 that has been running about 6 months. I have a second
>Win2K DC and a Win2k Member server and some XP client
>>systems.
>>
>>THe SBS hardware got flaky about 2 weeks ago and would hardware freeze.
>>Finally on Thursday it went down and would not get past POST.
>>
>>Today I replaced the motherboard, processor and memory and rebooted.
>>After Plug & Play things looked pretty good EXCEPT that no one can access
>any files on the SBS and the SBS system can not create a
>>net use to any other system. In the case of trying to use a share on the
>member Win2k system from the SBS system, I get the error
>>that says 'This server's clock is not sync'd with the domain's PDC'.
>>
>>Well, the SBS should be the PDC, but everyone is logging in with the Win2k
>DC as the login server and apparently the SBS system
>>now thinks the 2000 DC is the PDC.
>>
>>I have stopped the PDC and booted the SBS system and tried to reboot and
>login from one of the client systems. Took about 10 mins
>>to get through setting network connections. Never did get logged in.
>Lost patience.
>>
>>No real error messages in any event logs other then the SBS System and
>they only occurred when the 2K DC was offline Event 40961
>>The Security System could not establish a secured connection with the
>server LDAP/ZEUS. No authentication protocol was available.
>>
>>Event 40960
>>The Security System detected an authentication error for the server
>LDAP/ZEUS. The failure code from authentication protocol
>>Kerberos was "There are currently no logon servers available to service
>the logon request.
>> (0xc000005e)".
>>
>>
>>Before I messed around a lot I was receiving this error Event 5 The
>kerberos client received a KRB_AP_ERR_TKT_NYV error from the
>>server ROYHOME$. This indicates that the ticket used against that server
>is not yet valid (in relationship to that server time).
>>Contact your system administrator to make sure the client and server
>times are in sync, and that the KDC in realm ROYCHASTAIN.ORG
>>is in sync with the KDC in the client realm.
>>
>>
>>Now, just to be clear, the clocks are all within 30 seconds of each other.
> (And the dates and AM/PM are correct to.)
>>
>>Since the 2 DCs can not authenticate to each other, DNS and FRS
>replication etc are failing and things are falling apart.
>>
>>PS.
>>The SBS install has never been completed. Exchange and ISA are not
>running on the SBS box. Needless to say the SBS system can
>>not even get to the Internet, because it can not authenticate with the ISA
>server on another member server.
>>
>>Thanks for you input to resolve this issue.
>>
>>-------------------------------------------
>>Roy Chastain
>>KMSYS Worldwide, Inc.
>>http://www.kmsys.com
>>
-------------------------------------------
Roy Chastain
KMSYS Worldwide, Inc.
http://www.kmsys.com
.