Is This Possible?

[anthonymeluso]

I have two DCs in my domain. My PDC connects online for time updates and that of course is replicated downward to other servers and workstations.

I also know how important current time is in a domain. Today out of nowhere my entire domain just stopped working on both DCs. It was a nightmare. But after a restart everything seemed fine again.

Looking through the logs I noticed that at around the time this problem happened there was a error message stating that the time service on the PDC had stopped. A very odd error. Could this have caused my domain from functioning correctly??

Thanks!

 

[58sniper]

Yes. Can't say I've seen it happen before, though.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[itsp1965]

Although the time service failed it shouldn't have stopped users from authenticating. My lab domain doesn't connect to any time servers and although it complains it still works. Did you check the eventlogs on the DC for other possible issues. Also you may want to run DCDiag in order to check to see if there are any other problems afoot

 

[FloDiggs]

A time stamp is required for Kerberos authentication. So, if the PDC Emulator's time service wasn't working, and the other DC was the one trying to authenticate most of the network, it is feasible that nothing would be working because because the second DC would not be able to verify the Kerberos time stamp. Please correct me if I'm wrong.

 

[anthonymeluso]

Well it happened again today at nearly the same time. At 11:14 the time service stops on my PDC. On 11:15 my second DC gets this error:

DFS could not contact the nixon.lan.stmaryrutherford.org Active Directory. DFS will be using cached data. The return code is in the record data.

About 30 minutes later nothing works. I mean you can't log in or search AD or anything.

The time error Im getting is:

The time service encountered an error and was forced to shut down. The error was: 0xC0020018

I can't find anything related to that error code online.

Anyone have any guesses? Cause this is just weird. Oh btw I changed my NTP server right after I rebooted the PDC today.

 

[itsp1965]

Does your Windows Time service and/or the NETLOGON using another account for authentication (or has the password been changed on the LocalService account)
As to what Flodiggs has indicated, he is correct that an invalid time stamp might cause AD comms to fail, but I would assume unless the time has been skewed greatly, that time should remain up to date even without a time server present.

 

[anthonymeluso]

I don't believe either password has been changed and its using the default accounts to logon. NETLOGON is using the local system account and Windows Time is using the LocalService account.

Could any of this be related to a bad time server?

 

[itsp1965]

Check this to see if it helps you

http://support.microsoft.com/kb/892501

 

[anthonymeluso]

I added the "LocalService" account to have change time permissions even though the "Local Service" account was already there. Is there a difference between the two. One has a space between it the other doesn't.

I will have to wait and see.

Thanks you all for helping me on this problem.

 

[technome]

Basically, if your machines are 5 minutes out of time synch your in trouble.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm