Perhaps someone can help me regarding win2k time services

[Omletteboy]

This is long and tedious but perhaps someone can help!

Below are the event view errors we get:

The server was unable to logon the Windows NT account 'IUSR_CYCALWEBAPP1' due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. The data is the error code.

Because of repeated network problems, the time service has not been able to find a domain controller to synchronize with for a long time. To reduce network traffic, the time service will wait 960 minutes before trying again. No synchronization will take place during this interval, even if network connectivity is restored. Accumulated time errors may cause certain network operations to fail. To tell the time service that network connectivity has been restored and that it should resynchronize, execute "w32tm /s" from the command line.

The server was unable to register the administration tool discovery information. The administration tool may not be able to see this server. The data is the error code. (W3SVC)

The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible. (W32Time)

------------------------------------------------------------

What this error does is cause our intranet site to prompt for authentication; basically it's down. Each morning we have to reboot the machine in order to get the intranet to function correctly without the authentication window popping up. Somehow settings are changed later in the day causing the authentication window to pop up.

The setup is a pdc win2k advance server with AD running. The errors are from a stand alone server called cycalwebapp1.

IUSR_CYCALWEBAPP1 has local rights in policy settings and all permissions are correct. We used net time to sync cycalwebapp1 to our pdc. We are totally stumped.

Any ideas anyone??

[mcse007]

Is CYCALWEBAPP1 a Windows 2000 Server?
Are you sure that the "IUSR_CYCALWEBAPP1" account has logon locally rights?
Do you have any third party software that controls or monitors security in your domain?
Do you have any "Group Policies" that are preventing this account from having the "Logon Locally" right on that system?

[Omletteboy]

Yup, cycalwebapp1 is a server. The strange thing is that everything is setup right, local rights and policies are correct. Users get access during the day no problem but somehow they can't next day until the machine is rebooted. Obviously if the local and group policies weren't correct in the first place the users would not be able to access the apps on cycalwebapp1.

I look at the logs the previous evening and notice the time services error popping up, so I think that's the underlying issue.

[mcse007]

By dafault, the "Time Service" on the workstations and the member servers synchronizes with an authenticating domain controller for their respective domain. You don't need to make any manual changes. However, the first domain controller in the forest, needs to be synchronized with an outside time source.

Review the following article:


SUMMARY
=======

Windows 2000 includes the W32Time (Windows Time) time service that is required
by the Kerberos authentication protocol. The purpose of the time service is to
ensure that all Windows 2000-based computers within an enterprise use a common
time. The Windows Time service uses a hierarchical relationship that controls
authority and does not permit loops to ensure appropriate common time usage.

MORE INFORMATION
================

Windows 2000 computers use the following hierarchy by default:

- All client desktops nominate as their in-bound time partner the
authenticating domain controller.

- All member servers follow the same process as client desktops.

- All domain controllers in a domain nominate the primary domain controller
(PDC) Flexible Single Master Operation (FSMO) as their in-bound time partner.

- All PDC FSMOs follow the hierarchy of domains in the selection of their
in-bound time partner.

Following this hierarchy, the PDC FSMO at the root of the forest becomes
authoritative for the enterprise, and should be configured to gather the time
from an external source. This fact is logged in the System log on the computer
itself as Event ID 62. Administrators can configure the Windows Time service on
the PDC FSMO at the root of the forest to recognize an external Simple Network
Time Protocol (SNTP) time server as authoritative, using the following NET TIME
command:

net time /setsntp:

There are several SNTP time servers run by the U.S. Naval Observatory that are
satisfactory for this function. For example:

- ntp2.usno.navy.mil at 192.5.41.209
- tock.usno.navy.mil at 192.5.41.41

After setting the SNTP time server as authoritative, run the following command to
reset the local machine's time against the authoritatve time server:

net time /set

More information about the net time command is available at the command prompt by
typing the following command:

net time /?

SNTP defaults to using UDP port 123. If this port is not open to the Internet,
you cannot synchronize your server to Internet SNTP servers.

NOTE: Administrators can also configure an internal time server as authoritative
by using the NET TIME command. If they direct the command to the FSMO itself, it
may be necessary to reboot the server for the changes to take effect.

[Omletteboy]

Thanks for the article, but I have already tried it out to no avail. The more I think about it the more I think our domain is messed up some how. Before, I messed around with some policies, which somehow messed up active directory. Had to do a restore. The network was designed before I started.