Event ID 40960 and 40961.

Hi again,

We have a DNS server on our network, having the following zones:
Forward Lookup: xxxx.local
Reverse Lookup: 192.168.1.x Subnet (Local Network: 192.168.1.0/24)

The server haven't promoted to DC yet.
After configured the DNS, everything look great, client can resolves
name, can do dynamic update, even in the Reverse Lookup Zone.

But I found there are two Warning occurs every hour: Event ID 40960 and
40961:


////////////////////////////////////////////////////////////////////////////
//////
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/21/2005
Time: 7:58:50 AM
User: N/A
Computer: SERVER
Description:
The Security System detected an authentication error for the server
DNS/prisoner.iana.org. The failure code from authentication protocol
Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..ˆY

////////////////////////////////////////////////////////////////////////////
//////
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 1/21/2005
Time: 7:58:49 AM
User: N/A
Computer: SERVER
Description:
The Security System could not establish a secured connection with the
server DNS/prisoner.iana.org. No authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 88 03 00 c0 ?..ˆY

////////////////////////////////////////////////////////////////////////////
//////

**NOTE: "DNS/prisoner.iana.org" sometime will change to "DNS/server"**

I've googled and found some "solution", almost all "solutions" are
telling that it should be a problem of Reverse Lookup Zone. But I don't
think my Reverse Zone has any problem, but give it a try...
After changed my Reverse Lookup Zone to "192.x.x.x Subnet", the warning
is gone! BUT, all clients include the server itself failed to do a reverse
lookup zone (I test it by using nslookup).
OK, I config the Reverse Zone again, change it back to a "192.168.1.x
subnet", after the configuration, the error comes again!.

Any advice or suggestions would be great.
Thanks.

Nori

Sounds to me like this DNS server is set to query external DNS servers
for its own resolution. Configure the TCP/IP properties of the NIC to
point to itself (or another internal DNS server) and the errors should
go away.

Regards,
Scott


On 2005-01-20 23:02:14 -0500, "Nori" <(E-Mail Removed)> said:

> Hi again,
>
> We have a DNS server on our network, having the following zones:
> Forward Lookup: xxxx.local
> Reverse Lookup: 192.168.1.x Subnet (Local Network: 192.168.1.0/24)
>
> The server haven't promoted to DC yet.
> After configured the DNS, everything look great, client can resolves
> name, can do dynamic update, even in the Reverse Lookup Zone.
>
> But I found there are two Warning occurs every hour: Event ID 40960 and
> 40961:
>
>
> ////////////////////////////////////////////////////////////////////////////
> //////
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 1/21/2005
> Time: 7:58:50 AM
> User: N/A
> Computer: SERVER
> Description:
> The Security System detected an authentication error for the server
> DNS/prisoner.iana.org. The failure code from authentication protocol
> Kerberos was "There are currently no logon servers available to
> service the logon request.
> (0xc000005e)".
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
>
> ////////////////////////////////////////////////////////////////////////////
> //////
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 1/21/2005
> Time: 7:58:49 AM
> User: N/A
> Computer: SERVER
> Description:
> The Security System could not establish a secured connection with the
> server DNS/prisoner.iana.org. No authentication protocol was available.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
>
> ////////////////////////////////////////////////////////////////////////////
> //////
>
> **NOTE: "DNS/prisoner.iana.org" sometime will change to "DNS/server"**
>
> I've googled and found some "solution", almost all "solutions" are
> telling that it should be a problem of Reverse Lookup Zone. But I don't
> think my Reverse Zone has any problem, but give it a try...
> After changed my Reverse Lookup Zone to "192.x.x.x Subnet", the warning
> is gone! BUT, all clients include the server itself failed to do a reverse
> lookup zone (I test it by using nslookup).
> OK, I config the Reverse Zone again, change it back to a "192.168.1.x
> subnet", after the configuration, the error comes again!.
>
> Any advice or suggestions would be great.
> Thanks.
>
> Nori


--
Scott Lowe

Scott -

I have the same issue, however, I do want it to query these external DNS
servers for 2 stub zones that handle dynamic sub-domains resolution. Do I
need to fix something locally so this error doesn't appear, or do I just
ignore the error.

Thanks,

John

"Scott Lowe" wrote:

> Sounds to me like this DNS server is set to query external DNS servers
> for its own resolution. Configure the TCP/IP properties of the NIC to
> point to itself (or another internal DNS server) and the errors should
> go away.
>
> Regards,
> Scott
>
>
> On 2005-01-20 23:02:14 -0500, "Nori" <(E-Mail Removed)> said:
>
> > Hi again,
> >
> > We have a DNS server on our network, having the following zones:
> > Forward Lookup: xxxx.local
> > Reverse Lookup: 192.168.1.x Subnet (Local Network: 192.168.1.0/24)
> >
> > The server haven't promoted to DC yet.
> > After configured the DNS, everything look great, client can resolves
> > name, can do dynamic update, even in the Reverse Lookup Zone.
> >
> > But I found there are two Warning occurs every hour: Event ID 40960 and
> > 40961:
> >
> >
> > ////////////////////////////////////////////////////////////////////////////
> > //////
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40960
> > Date: 1/21/2005
> > Time: 7:58:50 AM
> > User: N/A
> > Computer: SERVER
> > Description:
> > The Security System detected an authentication error for the server
> > DNS/prisoner.iana.org. The failure code from authentication protocol
> > Kerberos was "There are currently no logon servers available to
> > service the logon request.
> > (0xc000005e)".
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> >
> > ////////////////////////////////////////////////////////////////////////////
> > //////
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40961
> > Date: 1/21/2005
> > Time: 7:58:49 AM
> > User: N/A
> > Computer: SERVER
> > Description:
> > The Security System could not establish a secured connection with the
> > server DNS/prisoner.iana.org. No authentication protocol was available.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> >
> > ////////////////////////////////////////////////////////////////////////////
> > //////
> >
> > **NOTE: "DNS/prisoner.iana.org" sometime will change to "DNS/server"**
> >
> > I've googled and found some "solution", almost all "solutions" are
> > telling that it should be a problem of Reverse Lookup Zone. But I don't
> > think my Reverse Zone has any problem, but give it a try...
> > After changed my Reverse Lookup Zone to "192.x.x.x Subnet", the warning
> > is gone! BUT, all clients include the server itself failed to do a reverse
> > lookup zone (I test it by using nslookup).
> > OK, I config the Reverse Zone again, change it back to a "192.168.1.x
> > subnet", after the configuration, the error comes again!.
> >
> > Any advice or suggestions would be great.
> > Thanks.
> >
> > Nori
>
>
> --
> Scott Lowe
>
>

You using Windows Server 2003 for your DNS server? Stub zones or not, all
workstations and servers in the AD domain, to include all DCs and DNS
servers themselves, should never be configured with external DNS servers in
any position on any network interface. In lieu of stub zones you have
option to use conditional forwarding which is another feature of Windows
Server 2003 DNS. Although since you are aware of and using stub zones you
most likely have good reason to keep using them.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

Hi Todd -

I'm sorry....did I imply I was running an AD domain?
I setup stub zones to aid in delegation of other zones
that are hosted. This 2003 server is specifically a
webserver and is completely disparate from my AD
domain.

This server is specifically for my IIS domains, dns
services and smtp domains. The stub zones are
to delegate portions of my domains that are on
dynamic addresses. Should I use conditional
forwarding instead?

I will read up on the subject if that is what I want
instead. This error is more an annoyance and my
anal need to have clean event logs. In practice,
I don't see anything wrong with any of the stub
zones that is serviced.

Thanks for any advise.

John

"Todd J Heron" wrote:

> You using Windows Server 2003 for your DNS server? Stub zones or not, all
> workstations and servers in the AD domain, to include all DCs and DNS
> servers themselves, should never be configured with external DNS servers in
> any position on any network interface. In lieu of stub zones you have
> option to use conditional forwarding which is another feature of Windows
> Server 2003 DNS. Although since you are aware of and using stub zones you
> most likely have good reason to keep using them.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>