The time is wrong in one of my Domain controllers…………..
Active Directory, Desktops, Management, Microsoft Windows, Network monitoring, Networking, OS, Security, Servers, SQL Server, Tech support
Hi,
There is something wrong in my domain from one week ago!!!
I have two domain controller,the first dc name is DC and second is Mail,both of them is GC and the OS is Win 2003 server R2 sp1
I set the time of Mail and other clients by GP acording the time of DC: (net time dc /set /y)
I have some share folder on DC that I them map for all users by GPs,
but from one week ago the time on Mail and some of clients is diferent from DC!!!???
The group policies doesn't work for users that the Mail gives them services and even when I want to set time on mail from command prompt it says: an extended error has occurred!!!
but I can ping the DC on mail!!!
when I want to log on (in Mail) with my User account that is belong to the administrators group and domain admins group it says:
dctttghobei-m(my user name)desktop is not accessible.You might not have permission to use this network resource.!!!!!
(I defined CA on DC that is valid from 3/20.2006 until 3/20/2016 that I think from 3/20 this problem was created!!!!!)
Now some of users can't use of network drives that mapped by GP automatically for them!!!!!
The time is wrong for some clients!!!!!
On the Mail server I can't use of GP and other network resources!!!!!
It is a strong problem for me!!it is urgent!!!!
Could you please help me!!???
Thank you.
----
Regards
Mahnaz
Software/Hardware used:
Software/Hardware used:
ASKED:
March 25, 2007 7:24 AM
UPDATED:
February 21, 2008 5:52 PM
Answer Wiki:
Hi,
I should dive some extra information about my problem,first I should say:when I change manually the time of Mail server,all problems that I said appeare,if i don't change manually the time of Mail server I can logon to it and have share folder on it but clients still have problem!!!
Here are some event log of Mail:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 5
Date: 3/25/2007
Time: 2:34:13 PM
User: N/A
Computer: MAIL
Description:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server COMPUTER-3$. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm NIOC-KEPCO.COM is in sync with the KDC in the client realm.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------------
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 5
Date: 3/25/2007
Time: 2:34:13 PM
User: N/A
Computer: MAIL
Description:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server COMPUTER-85$. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm NIOC-KEPCO.COM is in sync with the KDC in the client realm.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 3/25/2007
Time: 1:16:04 PM
User: N/A
Computer: MAIL
Description:
The Security System detected an authentication error for the server cifs/Computer-90. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.
(0xc0000133)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 01 00 c0 3..?
-----------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 3/25/2007
Time: 1:12:50 PM
User: N/A
Computer: MAIL
Description:
The Security System detected an authentication error for the server cifs/dc.nioc-kepco.com. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.
(0xc0000133)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 01 00 c0 3..?
---------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 3/25/2007
Time: 1:10:52 PM
User: N/A
Computer: MAIL
Description:
The Security System detected an authentication error for the server cifs/dc. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.
(0xc0000133)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 01 00 c0 3..?
--------------------------
Event Type: Error
Event Source: MsGina
Event Category: None
Event ID: 1010
Date: 3/25/2007
Time: 2:05:30 PM
User: N/A
Computer: MAIL
Description:
Failed to set the user's home directory (Drive Z: connected to Share dchome$).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b8 04 00 00 ?...
-------------------
Thank you.
To see all answers submitted to the Answer Wiki: View Answer History.
Hi,
Sorry of all my problem is so urgent!!!
Please help me if you can!!!???
There is a check box in Date and Time menu that use for adjusting clock for daylight changes but in my Mail server there isn’t this item!!!!and the time of this DC is one hour behind my master DC(DC)!!!For example now the time of DC is 8:20 AM but the time of Mail is 7:20 AM !!!
When I run (net time dc /set /y) on mail it says:
Current time at DC is 3/27/2007 07:25 AM
Local time (GMT+04:30) at DC is 3/27/2007 08:25 AM
The command completed successfully.
But we are in GMT+03:30!!!!!! and I check the zone time and it is correct in two dc’s and is GMT+03:30!!!!!
All of my OS is original and I update them from microsoft site every week!!!!!!
What’s the problem!!!??
Please help me!!!!
Thank you.
—–
Regards
Mahnaz
I’m assumming you are not in the US – I know with the daylight savings time patches that things here got a little weird – you could try changing the time zone, click apply and then change it back to the proper timezone and see if that fixed the problem.
Lirria
1) By how much time you are off on systems
2) make sure you run DST update patch if you guys were affected by DST change.
3) Kerberoes authentication won’t work if system clock is of by more then 5 minutes as Kerberoes authentication depends on time syncronization.
My question would be by how long clients are different? is it random time diference or by 1 hour?
By the way what computers you have is it mix of Windows XP and 2000? If yes Winodws 2000 you had to manually apply TZedit tool.
one thing to try is at a command prompt on the mail server do this:
net time /query
this will tell you where your server is getting it’s time from. you could set this to your other server and then set your other server to get it’s time from the internet with this command on each server:
net time \\servername /set /yes
for a list of internet servers:
http://tf.nist.gov/service/time-servers.html
whoops, just tested my net time command and it did not work. To set the timeserver on your server use this command:
net time /setsntp:servername
that does work, I just tested it. thanks.