MrxSmb Event 3034

[Cameron Dorrough]

Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron

 

[Mike Rosado [MSFT]]

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

 

[Cameron Dorrough]

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any way to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron

 

[Cameron Dorrough]

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any way to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron

 

[Mike Rosado [MSFT]]

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any way to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings /
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Periodically our users complain of slow access to network shares and the
above event gets logged on the server (W2k+SP4). The last DWORD value is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail. Anyone
know what I might try to fix this??

Thanks in advance,
Cameron

 

[Cameron Dorrough]

Thanks - I'll try that.

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any

way

to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security

Settings

/ value
is:

 

[Cameron Dorrough]

Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any

way

to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or GPO
issues, but I'll try to assist you to the best of my ability. Here's the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security

Settings

/ value
is:

 

[Mike Rosado [MSFT]]

Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any

way

to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking

and/or
GPO

issues, but I'll try to assist you to the best of my ability.

Here's
the

article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security

Settings

/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be
infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your

newsreader

so and
the

 

[Mike Rosado [MSFT]]

Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

IMPORTANT TO NOTE:
For general backup and restore of the Default Domain Policy and Default
Domain Controller Policy, and also for other GPOs, Microsoft recommends that
you use the Group Policy Management Console (GPMC) to create regular backups
of these GPOs. You can then use GPMC in conjunction with these backups to
restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any

way

to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking

and/or
GPO

issues, but I'll try to assist you to the best of my ability.

Here's
the

article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security

Settings

/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous customer had
reported having this virus. He tried to cleanup the machine but did not
rebuild it, which is what we recommend doing when you're known to be
infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your

newsreader

so and
the

 

[Cameron Dorrough]

Thanks, Mike - I've run the RecreateDefpol.exe tool and nothing seems to
have changed... (a logon cycle is all that is supposed to be required -
perhaps I need to reboot??)

Are you *sure* there is supposed to be a Kerberos Policy in the DDC Policy
as well as the Default Domain policy?

It's all very, very strange.. but thanks for all your help!

Cameron

Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

IMPORTANT TO NOTE:
For general backup and restore of the Default Domain Policy and Default
Domain Controller Policy, and also for other GPOs, Microsoft recommends that
you use the Group Policy Management Console (GPMC) to create regular backups
of these GPOs. You can then use GPMC in conjunction with these backups to
restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike, I had a look through the registry on our other DC and could find no
entries to assist with this.

ADUC doesn't allow you to add them or copy them somehow from the Default
Domain Policy and I am guessing that we would need to re-install our entire
domain to recover these missing values.

We're screwed, right?

Cameron

Cameron,

As mention before, I'm by no means an expert in this subject matter. But
you can try to search the registry (REDEDIT) for Maximum Tolerance on a
work DC. Then see if you can export it to re-import to the DC having the
problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be

any
way

to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or
GPO
issues, but I'll try to assist you to the best of my ability. Here's
the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of c0000133, it
means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur if the
Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy" and then
click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security Settings
/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry can be
removed by one of the Nimda Virus variants as the previous

customer
had

reported having this virus. He tried to cleanup the machine but

did
not

rebuild it, which is what we recommend doing when you're known to be
infect
by a virus of this category.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your

newsreader

so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Periodically our users complain of slow access to network shares and
the
above event gets logged on the server (W2k+SP4). The last DWORD value
is:
c0000133

I've been through the Microsoft KB and (JSI's as well) to no avail.
Anyone
know what I might try to fix this??

Thanks in advance,
Cameron

 

[Mike Rosado [MSFT]]

Cameron,

Yes, the Kerberos Policy does exist. See below. Maybe you should call
Microsoft Product Support Services and speak to a Support Engineer in the
Directory Services group.

[P.S. Kerberos policy is in the Default domain policy and not
Default Domain Controller policy]

- Expand "Computer Configuration" / Windows Settings / Security Settings

/ Account Policy / Kerberos Policy.

- There should be a policy called "Maximum Tolerance for Computer Clock

Synchronization" which is set to 5 minutes by default.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Thanks, Mike - I've run the RecreateDefpol.exe tool and nothing seems to
have changed... (a logon cycle is all that is supposed to be required -
perhaps I need to reboot??)

Are you *sure* there is supposed to be a Kerberos Policy in the DDC Policy
as well as the Default Domain policy?

It's all very, very strange.. but thanks for all your help!

Cameron

Cameron

As mention before, I'm by no means an expert in this subject matter. But
see if this article helps some how.

833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783

IMPORTANT TO NOTE:
For general backup and restore of the Default Domain Policy and Default
Domain Controller Policy, and also for other GPOs, Microsoft recommends that
you use the Group Policy Management Console (GPMC) to create regular backups
of these GPOs. You can then use GPMC in conjunction with these backups to
restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

on

a having
the

newsreader

so

that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Mike,

Bingo!.. the entire Kerberos Policy is missing (it is there in the
Default
Domain Policy though).

How do I recreate the Kerberos Policy? There does not seem to be any
way
to
do this from ADUC.

Thanks again.
Cameron

Hi Cameron,

I'm by no means an expert in this subject matter of networking and/or
GPO
issues, but I'll try to assist you to the best of my ability. Here's
the
article that discusses MRxSmb.

263142 Determining the Cause of an "MRxSmb 3034" Warning
http://support.microsoft.com/?id=263142

If you look in the Windows SDK at the DWORD hex value of

c0000133,
it

means
the following:

# for hex 0xc0000133 / decimal -1073741517 :
STATUS_TIME_DIFFERENCE_AT_DC
# The time at the Primary Domain Controller is different than
# the time at the Backup Domain Controller or member server
# by too large an amount.

NOW it's been previously reported, that this problem may occur

if
the

Kerberos Policy called "Maximum Tolerance for Computer Clock
Synchronization" is missing. This policy can be found in the
following
location:

- AD Users and Computers / Domain Controllers.
- Right-click "Domain Controllers" and select properties.
- Go to the group policy Tab.
- Choose the policy called "Default Domain Controller Policy"

and
then

click
on "Edit".
[P.S. Kerberos policy is in the Default domain policy and not
Default
Domain Controller policy]
- Expand "Computer Configuration" / Windows Settings / Security
Settings
/
Account Policy / Kerberos Policy.
- There should be a policy called "Maximum Tolerance for Computer
Clock
Synchronization" which is set to 5 minutes by default.
- If this is missing then it must be recreated.

Although we are not certain, but it is thought that this entry

can
be

removed by one of the Nimda Virus variants as the previous customer
had
reported having this virus. He tried to cleanup the machine but did
not
rebuild it, which is what we recommend doing when you're known

to

be shares
and