"Losing" Domain Authentication win2k3

[Verdant]

i am having this problem that i cannot seem to figure out:

the small network is setup like this:
2 Domain win2k3 Controllers
1 SQL server server on 2k3
1 data storage on 2000 pro
15 windows xp clients

the clients work great with everything, sql, fileshares, etc after first logging in

however after some time, (always after an overnight, but usually if the machine is logged on in the morning, and not logged off until evening)
the clients seem to lose their "authentication" they cannot connect to SQL, and mapped drives, and attempts to browse files from network neighborhood are broken, explorer gives "disconnected network drive" and attempts to reconnect give an error something like: "connection with those credentials already in use"

the web browsing which is just done through a router and is not managed by the domain works fine.
also i can still browse users when setting permissions, but it is REALLY slow compared to the usual.

If i log out and back in the issue is resolved...

anyone have any ideas what might be causing this? is the client's authentication timing out? and if so, why is it not being re-issued authentication?

 

[spyordie007]

check DNS, your DCs are the DHCP and DNS servers for the LAN right (not the router)? run some queries against them to make sure they're working properly. although I dont have anything to back it yet this problem *feels* like a DNS issue.

Also make sure you are trying to pull up the fileshares over the network UNC path and not the web client network path (you can ensure this by going through my network places).

 

[Verdant]

the DCs are running dns... however i am not using any dhcp... all the computers have static ips... so that ports for live demos and such can easily be forwarded through the router.

i am going to verify that all clients are using the DC for dns... but i know that machines that have been having problems are using the DC.

i have increased the kerberos authentication ticket timeout to 12 hours and this has really fixed the problem for all intents and purposes, but i its just a "hack" and the clients should probably re-authenticate automatically.

as for connection, i have tried both unc and fileshares that are mapped /w logon scripts, basically it times out (around 15 seconds) and reports "connection already in use, connect with different credentials" (not sure of the exact message now that the problem is non-existant)

question, is there anyway to configure the network settings remotely?

 

[mikecel79]

Sounds like your machines are not renewing their kerberos tickets. Did you make any changes to the Default Domain Controllers GPO?

One other thing to check is that the DHCP Client service is not disabled even though you are using DHCP. This service also registers your computer in DNS.

You can change network settings on a machine remotely using scripts. Check out the Microsoft Script Center for a pile of sample scripts.

 

[stash]

Is your time synchronized across the domain? The PDCe should be configured to source time from an external source, and all other DCs, member servers and clients should NOT be configured to source time. They will do it automatically.

net time /querysntp will tell you if the DCs and clients are using an external time source, but just check to make sure time is in sync.

 

[Verdant]

i think its fixed now, for some reason the dns service was disabled on the primary... can't for the life of me figure out why... now to figure out why the secondary isn't working... sigh

lol

as for the time thing... yes... the time is all synchronized to a stratum 2 timeserver in alberta, and the clients to the domain

 

[spyordie007]

for some reason the dns service was disabled on the primary

If DNS wasnt running than Active Directory wouldnt run either. AD is critically dependant on the DNS service.

-Erik