Event Warning 40961 LSASRV

I get event warning 40961 (see below) regularly throughout the day. Although
it seems there is nothing real that in fact needs attention, I'd still like
to clear up this warning. Configuration is as follows: Win2k3 server, NOT
active directory, IIS, DNS, SQL2000SP4.

I'd appreciate any help in sorting this.

------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 27.10.2005
Time: 9:36:53
User: N/A
Computer: DNS1
Description:
The Security System could not establish a secured connection with the server
DNS/blah.domain.net. No authentication protocol was available.
------------------------------------------------------------------------------------------

Remove the ISP's DNS server from wherever it appears in the NIC under the
TCP/IP properties on your server. Never use your ISP's DNS server on any
NIC for any domain member in an AD domain.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights


"The Vogon" <(E-Mail Removed)> wrote in message
news:812279C8-0883-4B21-AFC0-(E-Mail Removed)...
I get event warning 40961 (see below) regularly throughout the day. Although
it seems there is nothing real that in fact needs attention, I'd still like
to clear up this warning. Configuration is as follows: Win2k3 server, NOT
active directory, IIS, DNS, SQL2000SP4.

I'd appreciate any help in sorting this.

------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 27.10.2005
Time: 9:36:53
User: N/A
Computer: DNS1
Description:
The Security System could not establish a secured connection with the server
DNS/blah.domain.net. No authentication protocol was available.
------------------------------------------------------------------------------------------

Thanks for the reply Todd...

Ok, but I'm curious now :-)

....the servers throwing the LSASRV error were in fact, amongst other things,
my primary and secondary DNS servers... and are on the same physical network
and subnet as my provider's DNS servers... I've set the primary and secondary
DNS servers in TCP/IP settings on the NIC to be my own DNS servers, and as
yet haven't seen the LSASRV error... but why? Please note my servers are NOT
DC's and NOT using ADS :-S

The Vogon


"Todd J Heron" wrote:

> Remove the ISP's DNS server from wherever it appears in the NIC under the
> TCP/IP properties on your server. Never use your ISP's DNS server on any
> NIC for any domain member in an AD domain.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>
> "The Vogon" <(E-Mail Removed)> wrote in message
> news:812279C8-0883-4B21-AFC0-(E-Mail Removed)...
> I get event warning 40961 (see below) regularly throughout the day. Although
> it seems there is nothing real that in fact needs attention, I'd still like
> to clear up this warning. Configuration is as follows: Win2k3 server, NOT
> active directory, IIS, DNS, SQL2000SP4.
>
> I'd appreciate any help in sorting this.
>
> ------------------------------------------------------------------------------------------
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 27.10.2005
> Time: 9:36:53
> User: N/A
> Computer: DNS1
> Description:
> The Security System could not establish a secured connection with the server
> DNS/blah.domain.net. No authentication protocol was available.
> ------------------------------------------------------------------------------------------
>
>
>

Now that you've set the primary and secondary DNS servers in TCP/IP settings
on the NIC to be your own DNS servers, you will not see the LSASRV errors
(as you've confirmed). The reason is the system whether a DC or not will
attempt to register it's computer name into the DNS zone of it's primary DNS
suffix (which will be it's AD domain). Your ISP's server will not hold a
zone for your AD domain therefore the registration will fail.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights


"The Vogon" <(E-Mail Removed)> wrote in message
news:13B44657-BCC8-4A3B-853A-(E-Mail Removed)...
Thanks for the reply Todd...

Ok, but I'm curious now :-)

....the servers throwing the LSASRV error were in fact, amongst other things,
my primary and secondary DNS servers... and are on the same physical network
and subnet as my provider's DNS servers... I've set the primary and
secondary
DNS servers in TCP/IP settings on the NIC to be my own DNS servers, and as
yet haven't seen the LSASRV error... but why? Please note my servers are NOT
DC's and NOT using ADS :-S

The Vogon

OK, thanks, that makes sense... unfortuantely however I'm still getting
event warnings as follows:
----------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 29.10.2005
Time: 23:12:48
User: N/A
Computer: DNS1
Description:
The Security System detected an authentication error for the server
DNS/ns.provider.net. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon
request.
(0xc000005e)".
----------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 29.10.2005
Time: 23:12:48
User: N/A
Computer: DNS1
Description:
The Security System could not establish a secured connection with the server
DNS/ns.provider.net. No authentication protocol was available.
----------------------------------------------------------------------------------

Note that these event warnings are occuring together at a frequency of
exactly one hour on both my primary and secondary DNS servers...





"Todd J Heron" wrote:

> Now that you've set the primary and secondary DNS servers in TCP/IP settings
> on the NIC to be your own DNS servers, you will not see the LSASRV errors
> (as you've confirmed). The reason is the system whether a DC or not will
> attempt to register it's computer name into the DNS zone of it's primary DNS
> suffix (which will be it's AD domain). Your ISP's server will not hold a
> zone for your AD domain therefore the registration will fail.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>
> "The Vogon" <(E-Mail Removed)> wrote in message
> news:13B44657-BCC8-4A3B-853A-(E-Mail Removed)...
> Thanks for the reply Todd...
>
> Ok, but I'm curious now :-)
>
> ....the servers throwing the LSASRV error were in fact, amongst other things,
> my primary and secondary DNS servers... and are on the same physical network
> and subnet as my provider's DNS servers... I've set the primary and
> secondary
> DNS servers in TCP/IP settings on the NIC to be my own DNS servers, and as
> yet haven't seen the LSASRV error... but why? Please note my servers are NOT
> DC's and NOT using ADS :-S
>
> The Vogon
>
>

Is the server multihomed? If so you must disable dynamic registration of
the extra NIC via registry modifications.

How to enable or disable DNS updates in Windows 2000 and in Windows Server
2003
http://support.microsoft.com/default...b;en-us;246804

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights


"The Vogon" <(E-Mail Removed)> wrote in message
news:0A6FD650-0F6D-4939-BB1D-(E-Mail Removed)...

OK, thanks, that makes sense... unfortuantely however I'm still getting
event warnings as follows:
----------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 29.10.2005
Time: 23:12:48
User: N/A
Computer: DNS1
Description:
The Security System detected an authentication error for the server
DNS/ns.provider.net. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon
request.
(0xc000005e)".
----------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 29.10.2005
Time: 23:12:48
User: N/A
Computer: DNS1
Description:
The Security System could not establish a secured connection with the server
DNS/ns.provider.net. No authentication protocol was available.
----------------------------------------------------------------------------------

Note that these event warnings are occuring together at a frequency of
exactly one hour on both my primary and secondary DNS servers...

Indeed both servers are multihomed... The primary DNS server having 4 IP
addresses (DNS listening on one), but others used for SQL, mail etc... The
secondary DNS server has 10 IP addresses, one for DNS listening and others
for Web services etc. Both servers have only one physical NIC each. Their
statically configured HOST A entries for machine name are as the DNS
listening addresses.

Since they're not DC's I've left NetLogon Service A registrations alone as
they shouldn't exist or be relevant, and I've only added the following
registry key to disable dynamic DNS updates

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters
DWORD DisableDynamicUpdate
Value 1

I've not seen the LSASRV warnings for over an hour now, so this would now
seem to be resolved. Thanks very much for your help in this!

As a footnote, would you anticipate any unwanted side effects due to me
disabling these dynamic DNS updates?

The Vogon



"Todd J Heron" wrote:

> Is the server multihomed? If so you must disable dynamic registration of
> the extra NIC via registry modifications.
>
> How to enable or disable DNS updates in Windows 2000 and in Windows Server
> 2003
> http://support.microsoft.com/default...b;en-us;246804
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>
> "The Vogon" <(E-Mail Removed)> wrote in message
> news:0A6FD650-0F6D-4939-BB1D-(E-Mail Removed)...
>
> OK, thanks, that makes sense... unfortuantely however I'm still getting
> event warnings as follows:
> ----------------------------------------------------------------------------------
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 29.10.2005
> Time: 23:12:48
> User: N/A
> Computer: DNS1
> Description:
> The Security System detected an authentication error for the server
> DNS/ns.provider.net. The failure code from authentication protocol Kerberos
> was "There are currently no logon servers available to service the logon
> request.
> (0xc000005e)".
> ----------------------------------------------------------------------------------
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 29.10.2005
> Time: 23:12:48
> User: N/A
> Computer: DNS1
> Description:
> The Security System could not establish a secured connection with the server
> DNS/ns.provider.net. No authentication protocol was available.
> ----------------------------------------------------------------------------------
>
> Note that these event warnings are occuring together at a frequency of
> exactly one hour on both my primary and secondary DNS servers...
>
>
>

Actually, scratch that... I was a bit optimistic in saying the warning events
have gone, they haven't. I'm still getting these 2 warnings together once per
hour.

Also, I stated (from memory without checking) that the DNS server is
listening only on one address, this is in fact untrue, they both listen on
all adapter addresses.

Also, the netlogon service is not running on either server, yet I'm still
getting warnings about authentication failure to the providers nameserver.

Also, after making the registry entry previously stated, DNS services were
restarted.

Where do I go from here? Perhaps the problem lies with the DNS publish
addresses? There is no "publishaddresses" registry key in ...\DNS\Parameters,
should there be (with only one NS A Record defined)?

I'm a bit twitchy about messing too much with the registry on production
servers, so further expert advice would be much appreciated

The Vogon


"The Vogon" wrote:

>
> Indeed both servers are multihomed... The primary DNS server having 4 IP
> addresses (DNS listening on one), but others used for SQL, mail etc... The
> secondary DNS server has 10 IP addresses, one for DNS listening and others
> for Web services etc. Both servers have only one physical NIC each. Their
> statically configured HOST A entries for machine name are as the DNS
> listening addresses.
>
> Since they're not DC's I've left NetLogon Service A registrations alone as
> they shouldn't exist or be relevant, and I've only added the following
> registry key to disable dynamic DNS updates
>
> HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters
> DWORD DisableDynamicUpdate
> Value 1
>
> I've not seen the LSASRV warnings for over an hour now, so this would now
> seem to be resolved. Thanks very much for your help in this!
>
> As a footnote, would you anticipate any unwanted side effects due to me
> disabling these dynamic DNS updates?
>
> The Vogon
>
>
>
> "Todd J Heron" wrote:
>
> > Is the server multihomed? If so you must disable dynamic registration of
> > the extra NIC via registry modifications.
> >
> > How to enable or disable DNS updates in Windows 2000 and in Windows Server
> > 2003
> > http://support.microsoft.com/default...b;en-us;246804
> >
> > --
> > Todd J Heron, MCSE
> > Windows Server 2003/2000/NT; CCA
> > ----------------------------------------------------------------------------
> > This posting is provided "as is" with no warranties and confers no rights
> >
> >
> > "The Vogon" <(E-Mail Removed)> wrote in message
> > news:0A6FD650-0F6D-4939-BB1D-(E-Mail Removed)...
> >
> > OK, thanks, that makes sense... unfortuantely however I'm still getting
> > event warnings as follows:
> > ----------------------------------------------------------------------------------
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40960
> > Date: 29.10.2005
> > Time: 23:12:48
> > User: N/A
> > Computer: DNS1
> > Description:
> > The Security System detected an authentication error for the server
> > DNS/ns.provider.net. The failure code from authentication protocol Kerberos
> > was "There are currently no logon servers available to service the logon
> > request.
> > (0xc000005e)".
> > ----------------------------------------------------------------------------------
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40961
> > Date: 29.10.2005
> > Time: 23:12:48
> > User: N/A
> > Computer: DNS1
> > Description:
> > The Security System could not establish a secured connection with the server
> > DNS/ns.provider.net. No authentication protocol was available.
> > ----------------------------------------------------------------------------------
> >
> > Note that these event warnings are occuring together at a frequency of
> > exactly one hour on both my primary and secondary DNS servers...
> >
> >
> >