Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Event ID 40960 and 40961

388 views
Skip to first unread message

Spale

unread,
Jul 2, 2004, 4:08:38 AM7/2/04
to
I have a little problem.After upgrade from win2000 to Win2003 on my domain
controllers i have a this errors:

The Security System detected an authentication error for the server
cifs/KBRGXV4.vbba.volksbank.ba. The failure code from authentication
protocol Kerberos was "{Operation Failed}

The requested operation was unsuccessful.

(0xc0000001)".

The Security System could not establish a secured connection with the server
cifs/KBRGXV4.vbba.volksbank.ba. No authentication protocol was available.

I have DHCP on every server.First i've found that you have to set
credentials and set a user to update DNS.I create domain user and use him
for DNS update.Then i've found that this error could be something related to
reverse lookup zone on my DNS butt i have reverse lookup zone.Any idea?


Cameron Ye (MSFT)

unread,
Jul 4, 2004, 11:42:26 PM7/4/04
to
Hi Spale,

Thank you for posting to Microsoft newsgroup.

Based on the information you provided, I would like to provide the
following suggestions:

1. If the 40960/40961 events only happen at boot, it is likely the scenario
outlined in the following KB articles:

824217 LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
Domain
http://support.microsoft.com/?id=824217

823712 Event IDs 40960 and 40961 in the System Event Log When You Restart
http://support.microsoft.com/?id=823712

A service attempts to authenticate before the directory service is
available. In that scenario, the events can be ignored.

2. If the 40960/40961 events happen at a regular interval (i.e., hourly),
try to determine what service may be need to authenticate at that interval.
For example,
if a XP/2003 machine is pointed directly at a DNS server that doesn't
support Kerberos, secure dynamic updates will generate 40960/40961 events.
Even if the
XP/2003 machine is pointed to a 2000/2003 DNS server, if the SOA for the
zone is a non-Microsoft DNS server that doesn't support Kerberos, the
40960/40961 events can still be generated.

3. Get a list of the computer names of the DCs in the domain, and compare
that to a list of all machine accounts in the forest to see if there is a
name conflict. For
example, if NTSERVER is a member server in the parent domain, and NTSERVER
is a DC in the child domain, you can see 40960/40961 events because of the
name conflict.

4. Verify RPC Locator is correctly configured:

Started, Automatic - Windows 2000 domain controllers.
Stopped, Manual - Windows Server 2003 domain controllers & member servers.
Stopped, Disabled - Windows 2000 clients & member servers, XP clients.

5. If the registry on the DC contains the NT4Emulator registry value in the
following registry key, set it to 0, or delete it entirely.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

6. Verify the DHCP client service is started on all machines. Even machines
with static IP addresses (including domain controllers and member servers)
need to have
DHCP client service enabled because that service handles DNS dynamic
updates.

7. Verify there isn't a time skew between machines. Make sure to verify the
time, date, and year, are all the same. Appendix A of the Troubleshooting
Kerberos Errors
white paper shows a sample trace where clock skew breaks Kerberos.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerberr.mspx#XSLTsection131121120120

8. Kerberos UDP packet fragmentation can result in Kerberos failure.
Appendix A of the Troubleshooting Kerberos Errors white paper shows a
sample trace where UDP
fragmentation breaks Kerberos.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerberr.mspx#XSLTsection131121120120

2003 - RTM defaults to MaxPacketSize of 1465 bytes.
2000 - RTM defaults to 2000 bytes. With hotfix 315150 or SP4, default is
1465
XP - RTM defaults to 2000 bytes. With SP2, default is 1465. There is no
hotfix, SP2
is the only way to get the 1465 default without manually setting the
MaxPacketSize reg value to 1465.

315150 Logon Authentication, Active Directory Replication, and Domain Joins
Do
http://support.microsoft.com/?id=315150

Otherwise, use the MaxPacketSize registry value to force the use of TCP for
Kerberos instead of UDP.

244474 How to force Kerberos to use TCP instead of UDP
http://support.microsoft.com/?id=244474

9. Reset the secure channel.

10. Create a reverse lookup zone and add the DNS server to it. NOTE: If you
can explain why this would resolve 40960/40961 events, please email
clandis. The step
is included here because it was the fix in a customer verified solution
object, but more information is needed to understand why this would resolve
the 40960/40961
events.

11. Verify the necessary SPNs are registered, based on the information in
the event description.

12. Clear cached credentials.

2003 - Control Panel, Stored User Names and Passwords, Remove them all.

13. Based on the information in the event description, verify that the SAM
account name of one account is not the same as the UPN of another account.

Best regards,

Cameron Ye

MCSE NT4/2K, MCDBA 2000, MCSA 2003

Microsoft Partner Support Professional

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| From: "Spale" <king2...@hotmail.com>
| Subject: Event ID 40960 and 40961
| Date: Fri, 2 Jul 2004 10:08:38 +0200
| Lines: 22
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <eaPtEvAY...@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: 80.65.160.162
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:11988
| X-Tomcat-NG: microsoft.public.windows.server.migration

Spale

unread,
Jul 5, 2004, 3:42:44 AM7/5/04
to
Thanks Cameron for this very long answer.I discover that DHCP client is not
started on Domain controller where these errors are showing.When i attemp to
start that server it says Error 5:Access is Denied.


What to do?


Cameron Ye (MSFT)

unread,
Jul 7, 2004, 2:30:17 AM7/7/04
to
Hi Spale,

Thank you for your reply.

This issue occurs if the Network Service security account does not have
sufficient privileges to access the following registry subkeys when you
upgrade to Windows Server 2003:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

To resolve this issue, assign the Network Service account full control
access to the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

To do this, please perform the following steps:

1. On the Windows Server 2003-based domain controller, start Registry
Editor (Regedit.exe).

2. Locate, and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

3. Right-click "Dhcp", and then click "Permissions".

4. Click Add, type network service

Best regards,

Cameron Ye

MCSE NT4/2K, MCDBA 2000, MCSA 2003

Microsoft Partner Support Professional

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| From: "Spale" <king2...@hotmail.com>

| Subject: Re: Event ID 40960 and 40961
| Date: Mon, 5 Jul 2004 09:42:44 +0200
| Newsgroups: microsoft.public.windows.server.migration

Spale

unread,
Jul 7, 2004, 4:59:23 AM7/7/04
to
That's it.Thanks very much.


Cameron Ye (MSFT)

unread,
Jul 8, 2004, 5:09:31 AM7/8/04
to
Hi Spale,

Thank you for your update.

I am glad to hear that the information I provided is useful for you. It is
my pleasure to work with you in this post. If you encounter any
difficulties in the future, please submit the post to the newsgroup. We
are glad to be of the assistance.

Again, thank you for using Microsoft newsgroup. Have a nice day. :)

Best regards,

Cameron Ye

MCSE NT4/2K, MCDBA 2000, MCSA 2003

Microsoft Partner Support Professional

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| From: "Spale" <king2...@hotmail.com>
| Subject: Re: Event ID 40960 and 40961

| Date: Wed, 7 Jul 2004 10:59:23 +0200
| Newsgroups: microsoft.public.windows.server.migration

0 new messages