I am getting events 40961 (below) every hour.
This happens on S06 (which is mentioned in event). This machine has W2K3
and hosts internal DNS server. Domain Controller (W2K3) is on the other
machine. No forwarders are specified, Secure cache against pollution is
enabled, ipconfig /all below.
824217 and 823712 are irrelevant.
What could be the cause and how do I solve the problem?
Thanks a lot.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 06.01.2004
Time: 12:39:23
User: N/A
Computer: S06
Description:
The Security System could not establish a secured connection with the
server DNS/s06.phxmsk.ru. No authentication protocol was available.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ?..À
Windows IP Configuration
Host Name . . . . . . . . . . . . : s06
Primary Dns Suffix . . . . . . . : phxmsk.ru
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : phxmsk.ru
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For
Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-04-75-E9-96-9E
Ethernet adapter Local Area Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Connection #2
Physical Address. . . . . . . . . : 00-03-47-31-F9-A9
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Connection
Physical Address. . . . . . . . . : 00-03-47-31-F9-A8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.16
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 172.16.0.16
there are some suggestions:
http://www.eventid.net/display.asp?eventid=40961&source=
Hope one of them helps you.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
I'd create a service account with the right to update and write dns-records for
the specific zone(s).
I haven't been able to verify this, but I believe the following rights will be
sufficient for a AD-Integrated DNS (note that the rights will have to be set in
Active Directory, the example below is for a AD integrated DNS-Zone which will
be replicated to all AD-DCs which are DNS-Servers in a WS2k3 AD):
On the Zoneobject (e.g.
DC=nwtraders.msft,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nwtraders,DC=msft) for
itself:
Create dnsNode Objects
Delete dnsNode Objects
for dnsNode-Childobjects:
Write all Properties
Using dsacls out of the supporttools you are able to set those rights as shown
(but get rid of the line-break):
dsacls DC=nwtraders.msft,CN=MicrosoftDNS,DC=DomainDnsZones,
DC=nwtraders,DC=msft /G nwtraders\mmuster:CCDC;dnsNode;
dsacls DC=nwtraders.msft,CN=MicrosoftDNS,DC=DomainDnsZones,
DC=nwtraders,DC=msft /G nwtraders\mmuster:wp;;dnsNode /I:S
If that's to complicated or for testing purposes you can use a account with
DNS-Admin rights).
HTH - Feedback aprechiated.
Just to add, from what I've seen in previous postings about this, just the
mere fact of creating a reverse zone and make sure there is a PTR for the
DCs should eliminate this.
:-)
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
Thanks a lot.
Glad to hear it was that easy!