The Security System could not establish a secured connection with the server DNS/s06.phxmsk.ru.
Kirill S. Palagin
I am getting events 40961 (below) every hour.
This happens on S06 (which is mentioned in event). This machine has W2K3
and hosts internal DNS server. Domain Controller (W2K3) is on the other
machine. No forwarders are specified, Secure cache against pollution is
enabled, ipconfig /all below.
824217 and 823712 are irrelevant.
What could be the cause and how do I solve the problem?
Thanks a lot.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 06.01.2004
Time: 12:39:23
User: N/A
Computer: S06
Description:
The Security System could not establish a secured connection with the
server DNS/s06.phxmsk.ru. No authentication protocol was available.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ?..À
Windows IP Configuration
Host Name . . . . . . . . . . . . : s06
Primary Dns Suffix . . . . . . . : phxmsk.ru
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : phxmsk.ru
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For
Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-04-75-E9-96-9E
Ethernet adapter Local Area Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Connection #2
Physical Address. . . . . . . . . : 00-03-47-31-F9-A9
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Connection
Physical Address. . . . . . . . . : 00-03-47-31-F9-A8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.16
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 172.16.0.16
Ulf B. Simon-Weidner
says...
> I am getting events 40961 (below) every hour.
> This happens on S06 (which is mentioned in event). This machine has W2K3
> and hosts internal DNS server. Domain Controller (W2K3) is on the other
> machine. No forwarders are specified, Secure cache against pollution is
> enabled, ipconfig /all below.
> 824217 and 823712 are irrelevant.
>
>
> What could be the cause and how do I solve the problem?
> Thanks a lot.
>
>
there are some suggestions:
http://www.eventid.net/display.asp?eventid=40961&source=
Hope one of them helps you.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Kirill S. Palagin
This
"If this warning appears by itself on an hourly basis, check that the
credentials assigned to the DHCP server to register DNS dynamic updates are
valid. Spelling errors or incorrect passwords and/or domain names can be to
blame. To do this in Windows Server 2003, open the DHCP snap-in, open the
properties for your DHCP server, select the "Advanced" tab, and click the
"Credentials" button. Verify the username, password, and domain listed here
are valid."
seems to apply - Username and domain are empty. What should be there?
Ulf B. Simon-Weidner
says...
> This
> "If this warning appears by itself on an hourly basis, check that the
> credentials assigned to the DHCP server to register DNS dynamic updates are
> valid. Spelling errors or incorrect passwords and/or domain names can be to
> blame. To do this in Windows Server 2003, open the DHCP snap-in, open the
> properties for your DHCP server, select the "Advanced" tab, and click the
> "Credentials" button. Verify the username, password, and domain listed here
> are valid."
> seems to apply - Username and domain are empty. What should be there?
>
I'd create a service account with the right to update and write dns-records for
the specific zone(s).
I haven't been able to verify this, but I believe the following rights will be
sufficient for a AD-Integrated DNS (note that the rights will have to be set in
Active Directory, the example below is for a AD integrated DNS-Zone which will
be replicated to all AD-DCs which are DNS-Servers in a WS2k3 AD):
On the Zoneobject (e.g.
DC=nwtraders.msft,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nwtraders,DC=msft) for
itself:
Create dnsNode Objects
Delete dnsNode Objects
for dnsNode-Childobjects:
Write all Properties
Using dsacls out of the supporttools you are able to set those rights as shown
(but get rid of the line-break):
dsacls DC=nwtraders.msft,CN=MicrosoftDNS,DC=DomainDnsZones,
DC=nwtraders,DC=msft /G nwtraders\mmuster:CCDC;dnsNode;
dsacls DC=nwtraders.msft,CN=MicrosoftDNS,DC=DomainDnsZones,
DC=nwtraders,DC=msft /G nwtraders\mmuster:wp;;dnsNode /I:S
If that's to complicated or for testing purposes you can use a account with
DNS-Admin rights).
HTH - Feedback aprechiated.
Ace Fekay [MVP]
Ulf B. Simon-Weidner <nospa...@usw-consulting.com> posted their thoughts,
then I offered mine
Just to add, from what I've seen in previous postings about this, just the
mere fact of creating a reverse zone and make sure there is a PTR for the
DCs should eliminate this.
:-)
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
Kirill S. Palagin
seems that restart of NETLOGON have stopped those events.
Thanks a lot.
Ace Fekay [MVP]
Kirill S. Palagin <kpal...@nomail.phxint.please.ru> posted their thoughts,
then I offered mine
> Ace, Ulf,
> seems that restart of NETLOGON have stopped those events.
>
> Thanks a lot.
Glad to hear it was that easy!