EventID 40960, authentication error

[Hamish via WinServerKB.com]

I recently setup DNS on my Windows 2003 server. It is not running AD or a
member of a domain, it's a stand alone system.

It is not a primary DNS server for any domains. Only a seconday server for a
single domain.

The servers name is ns1.mydomain.com. The IP does resolve to the DNS name and
vice versa so as far as I can tell everything *should* be setup correctly.
This both works on the server and externally. Queries on the DNS server are
also being answered correctly so as far as I can tell it is working!

The only problem is the following errors keeps on appearing in my event log
on an hourly basis:

Source: LSASRV
Category: SPNEGO (Negotiator)
Category String: SPNEGO (Negotiator)
Event: 40960
User: N/A
Computer: NS1

The Security System detected an authentication error for the
server DNS/ns1.domainname.com. The failure code from authentication protocol
Kerberos
was "There are currently no logon servers available to service the logon
request.
(0xc000005e)".

and

Source: LSASRV
Category: SPNEGO (Negotiator)
Category String: SPNEGO (Negotiator)
Event: 40960
User: N/A
Computer: NS1

The Security System detected an authentication error for the
server DNS/ns1.ispdomain.com. The failure code from authentication protocol
Kerberos
was "There are currently no logon servers available to service the logon
request.
(0xc000005e)".

ns1.domainname.com is the primary DNS server for mydomain.com. ns1.mydomain.
com does not have any records for mydomain.com at all. I haven't even setup
secondary copies.

ns1.ispdomain.com is the primary DNS server for the domain that this server
is a seconday for.

It might be woth mentioning that both the primaries are Linux servers,
although I don't think this would make a difference.

Any guidance would be much appreciated!

Thanks,
Hamish

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200702/1

[Paul Bergson [MVP-DS]]

"Hamish via WinServerKB.com" <u12144@uwe> wrote in message
news:6d8a7abf84857@uwe...
>I recently setup DNS on my Windows 2003 server. It is not running AD or a
> member of a domain, it's a stand alone system.
>
> It is not a primary DNS server for any domains. Only a seconday server for
> a
> single domain.
>
> The servers name is ns1.mydomain.com. The IP does resolve to the DNS name
> and
> vice versa so as far as I can tell everything *should* be setup
> correctly.
> This both works on the server and externally. Queries on the DNS server
> are
> also being answered correctly so as far as I can tell it is working!
>
> The only problem is the following errors keeps on appearing in my event
> log
> on an hourly basis:
>
> Source: LSASRV
> Category: SPNEGO (Negotiator)
> Category String: SPNEGO (Negotiator)
> Event: 40960
> User: N/A
> Computer: NS1
>
> The Security System detected an authentication error for the
> server DNS/ns1.domainname.com. The failure code from authentication
> protocol
> Kerberos
> was "There are currently no logon servers available to service the logon
> request.
> (0xc000005e)".
>
> and
>
> Source: LSASRV
> Category: SPNEGO (Negotiator)
> Category String: SPNEGO (Negotiator)
> Event: 40960
> User: N/A
> Computer: NS1
>
> The Security System detected an authentication error for the
> server DNS/ns1.ispdomain.com. The failure code from authentication
> protocol
> Kerberos
> was "There are currently no logon servers available to service the logon
> request.
> (0xc000005e)".
>
> ns1.domainname.com is the primary DNS server for mydomain.com.
> ns1.mydomain.
> com does not have any records for mydomain.com at all. I haven't even
> setup
> secondary copies.
>
> ns1.ispdomain.com is the primary DNS server for the domain that this
> server
> is a seconday for.
>
> It might be woth mentioning that both the primaries are Linux servers,
> although I don't think this would make a difference.
>
> Any guidance would be much appreciated!
>
> Thanks,
> Hamish
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forum...r-dns/200702/1
>

Why don't you post the ipconfig /all of the machine that is having trouble
as well as the dns servers the client is referring to. Define the role of
each - Primary, secondary, client, etc...

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

[Kevin D. Goodknecht Sr. [MVP]]

Hamish via WinServerKB.com wrote:
> I recently setup DNS on my Windows 2003 server. It is not running AD
> or a member of a domain, it's a stand alone system.
>
> It is not a primary DNS server for any domains. Only a seconday
> server for a single domain.

I believe this is the key statement, you have a machine trying to register
in the secondary zone on this server, and is using its forwarder, or the
MNAME record on the SOA record to find the Master Server to register its
records in. It could be this machine or another machine, and it does not
matter that it is not part of and AD domain.
Clear the "Register this connection's addresses in DNS" check box should
clear this up.

>
> The servers name is ns1.mydomain.com. The IP does resolve to the DNS
> name and vice versa so as far as I can tell everything *should* be
> setup correctly. This both works on the server and externally.
> Queries on the DNS server are also being answered correctly so as far
> as I can tell it is working!
>
> The only problem is the following errors keeps on appearing in my
> event log on an hourly basis:
>
> Source: LSASRV
> Category: SPNEGO (Negotiator)
> Category String: SPNEGO (Negotiator)
> Event: 40960
> User: N/A
> Computer: NS1
>
> The Security System detected an authentication error for the
> server DNS/ns1.domainname.com. The failure code from authentication
> protocol Kerberos
> was "There are currently no logon servers available to service the
> logon request.
> (0xc000005e)".
>
> and
>
> Source: LSASRV
> Category: SPNEGO (Negotiator)
> Category String: SPNEGO (Negotiator)
> Event: 40960
> User: N/A
> Computer: NS1
>
> The Security System detected an authentication error for the
> server DNS/ns1.ispdomain.com. The failure code from authentication
> protocol Kerberos
> was "There are currently no logon servers available to service the
> logon request.
> (0xc000005e)".
>
> ns1.domainname.com is the primary DNS server for mydomain.com.
> ns1.mydomain. com does not have any records for mydomain.com at all.
> I haven't even setup secondary copies.
>
> ns1.ispdomain.com is the primary DNS server for the domain that this
> server is a seconday for.
>
> It might be woth mentioning that both the primaries are Linux servers,
> although I don't think this would make a difference.
>
> Any guidance would be much appreciated!



This event is caused by your internal machine trying to register in the
external DNS server's zone.
The usual reasons for this error are:

1)You have incorrectly configured your ISP or some other external DNS server
in TCP/IP properties. (Use only the internal DNS server in TCP/IP settings)

2)You have a Primary or Connection specific suffix set to the external
domain name. (The Primary and connection DNS suffixes should only be the
internal domain name to prevent internal clients from registering in
external zones)

3)The Zone for the internal domain name is the same as your External domain
and its zone is missing from the internal DNS server and is being forwarded
by the internal DNS server by means of the SOA record. (You should have an
internal DNS zone that matches exactly the internal domain zone)

4)You have a public IP configured on a Network Interface and its PTR record
is trying to be registered in the Reverse lookup zone that ns1.ispdomain.com
is Authoritative for. (Disable DNS registration on Interfaces with Public IP
addresses.)

Post your ipconfig /all, your AD Domain name, and a list of zones in your
internal DNS server, to verify any of these.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[Hamish via WinServerKB.com]

Thanks for the advice! I thought it might be something to do with the machine
trying to register its IP address.

Here is my old ipconfig:

Windows IP Configuration

Host Name . . . . . . . . . . . . : ns1
Primary Dns Suffix . . . . . . . : mydomain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.com

Ethernet adapter Hetzner Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
Physical Address. . . . . . . . . : xx-xx-xxx-xxx-xxx-6A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : xxx.xxx.xxx.166
Subnet Mask . . . . . . . . . . . : 255.255.255.248
IP Address. . . . . . . . . . . . : xxx.xxx.xxx.164
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : xxx.xxx.xxx.163
DNS Servers . . . . . . . . . . . : xxx.xxx.xxx.166
xxx.xxx.xxx.254
xxx.xxx.xxx.254
xxx.xxx.xxx.2
NetBIOS over Tcpip. . . . . . . . : Disabled

I've now made some changes based on your previous thread.

1. I have removed all the other DNS servers as suggested and I'm now only
using the IP address of the DNS server. xxx.xxx.xxx.166 (local machine) only.

I've seen this suggest before, why is this? I know that you can setup
forwarders but wouldn't you want the system to use other DNS servers if the
DNS service on your server failed?

2. Previously I had a connection specific specific suffix and suspected it
may be what was causing it so I tried disabling "Register this connections
address in DNS" then after I still had the problem I removed the name too.
(As you can see in ipconfig)

And here might be the golden key: I still have a primary DNS suffix. I'm now
going to remove it.

3. You are quite correct. Right now the server has only a secondary copy of
mydomain.com The other primary server also wouldn't allow updates...

4. I do have a public IP but I have disabled Register this connections
address in DNS" on the interface.

I'm going to try the above and see what happens.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200702/1

[Hamish via WinServerKB.com]

>And here might be the golden key: I still have a primary DNS suffix. I'm now
>going to remove it.
>
Okay, this might have been a 1 step forward 2 steps back attempt to solve
this problem.

The repeated error messages are gone but now I'm faced with another issue.
Without a primary suffix there is no FQDN for SOA records...At this stage
it's not a problem as the system is only a secondary for other zones...but
surely this can't be a good thing

1. I have followed point 1 in your previous mail. See the ipconfig dump below.

2. This system is a dedicated internet DNS server so wouldn't the primary
suffix be the external domain name as there is no internal one?
3. I have created a seconday copy of the external zone (mydomain.com) from
ns1.domainname.com so that there is an internal record (although, it's not a
primary)?
4. I have disabled DNS registrations in TCP/IP properties for the network
connection.

My question would now be.

ns1.domainname.com acts as the primary DNS server for mydomain.com
ns1.mydomain.com has a secondary copy of the zone mydomain.com from ns1.
domainname.com
(forward lookups)

ns1.ispdomain.com is responsable for the reverse lookup zone of my IP address
range

This would explain why both errors were logged. In the 1st the system is
trying to register in the forward lookup zone and in the second error it's
trying to register in the reverse lookup zone. Right?

If I set a primary DNS suffix (which I believe is a good thing to do) how do
I configure the system not to try and register with the primary zone servers??
? Unfortunately the primaries don't support dynamic updates.

I now believe that this error has less to do with the DNS service on the
system and more to do with the basic config of the system itself.

Thanks in advance!
Hamish

--
Message posted via http://www.winserverkb.com

[Hamish via WinServerKB.com]

My ipconfig dump:

Windows IP Configuration

Host Name . . . . . . . . . . . . : ns1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Hetzner Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-6A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : xxx.xxx.xxx.166 <- Local IP (used
for DNS)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
IP Address. . . . . . . . . . . . : xxx.xxx.xxx.164 <- Local IP
(used for WWW)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : xxx.xxx.xxx.163
DNS Servers . . . . . . . . . . . : xxx.xxx.xxx.166 <- DNS server set
to local IP
NetBIOS over Tcpip. . . . . . . . : Disabled

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200702/1

[Kevin D. Goodknecht Sr. [MVP]]

Hamish via WinServerKB.com wrote:
>> And here might be the golden key: I still have a primary DNS suffix.
>> I'm now going to remove it.
>>
> Okay, this might have been a 1 step forward 2 steps back attempt to
> solve this problem.
>
> The repeated error messages are gone but now I'm faced with another
> issue. Without a primary suffix there is no FQDN for SOA records...At
> this stage it's not a problem as the system is only a secondary for
> other zones...but surely this can't be a good thing
>
> 1. I have followed point 1 in your previous mail. See the ipconfig
> dump below.
>
> 2. This system is a dedicated internet DNS server so wouldn't the
> primary suffix be the external domain name as there is no internal
> one?
> 3. I have created a seconday copy of the external zone (mydomain.com)
> from ns1.domainname.com so that there is an internal record
> (although, it's not a primary)?
> 4. I have disabled DNS registrations in TCP/IP properties for the
> network connection.
>
> My question would now be.
>
> ns1.domainname.com acts as the primary DNS server for mydomain.com
> ns1.mydomain.com has a secondary copy of the zone mydomain.com from
> ns1. domainname.com
> (forward lookups)
>
> ns1.ispdomain.com is responsable for the reverse lookup zone of my IP
> address range
>
> This would explain why both errors were logged. In the 1st the system
> is trying to register in the forward lookup zone and in the second
> error it's trying to register in the reverse lookup zone. Right?
>
> If I set a primary DNS suffix (which I believe is a good thing to do)
> how do I configure the system not to try and register with the
> primary zone servers?? ? Unfortunately the primaries don't support
> dynamic updates.

I assume since you named this server NS1, that it is set up to act as a
Public DNS server?
Give the server a DNS suffix that matches it's public name, example
mydomain.com, that would make its FQDN NS1.MYDOMAIN.COM, then create a
forward lookup zone named ns1.mydomain.com, create a new host in this zone,
leave the name field blank, and give it the Public IP address it will listen
on. This is so it can resolve its own name to its publicly known IP address.

NOTE-Do not follow the above instructions if the DNS server is going to ever
be used in an Active Directory infrastructure.

>
> I now believe that this error has less to do with the DNS service on
> the system and more to do with the basic config of the system itself.

You are very correct about this, it sounds like you have made some of the
very same assumptions I did when I first started setting up DNS servers some
years back.

I have found that in order to properly host a Public DNS, you must first
have a reliable private DNS server. Then point the Pubic DNS server to the
Private DNS server (only) for DNS then, disable recursion on the Public DNS
server. For maximum efficiency and security, a pubic DNS server that hosts
public zones should never have to do recursive lookups. It should never be
allowed to resolve any names it is not Authoritative for.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[Greg Lindsay [MSFT]]

FYI - It's not only for efficiency. When an ISP provides the same
nameserver to customers for both authoritative and recursive lookup, and
then a customer wants to move authority for their domain elsewhere, this can
partially "break" their domain. This is because a recursive nameserver will
not look elsewhere if it believes it is authoritative for a domain. It will
simply provide the old information.

Customers that move their DNS don't always circle back and have the DNS
removed from the servers at their old ISP. These are called "lame" DNS
records, and most authoritative servers that host a large number of domains
have them, unless they have an automated process to discover and remove
these records.

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:uX6ZBfDUHHA.388@TK2MSFTNGP04.phx.gbl...

For maximum efficiency and security, a pubic DNS server that hosts
> public zones should never have to do recursive lookups. It should never be
> allowed to resolve any names it is not Authoritative for.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> Send IM: http://www.icq.com/people/webmsg.php?to=296095728
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>

[Hamish via WinServerKB.com]

Thanks for the help it seems to have done the trick ;-)

Clearly I still have a lot to learn about DNS.

As far as recursion goes, although this server is a public DNS server it also
hosts web content which from time to time need to do lookups for which the
DNS server is not authoritive for. I also have other servers on the network
that use this server for name resolution as the primary and only then the
ISP's DNS server.

Why would recursion be a security risk in this scenario?

Thanks again for all the help and suggestions, really apreciated.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200702/1

[Kevin D. Goodknecht Sr. [MVP]]

Hamish via WinServerKB.com wrote:
> Thanks for the help it seems to have done the trick ;-)
>
> Clearly I still have a lot to learn about DNS.
>
> As far as recursion goes, although this server is a public DNS server
> it also hosts web content which from time to time need to do lookups
> for which the DNS server is not authoritive for. I also have other
> servers on the network that use this server for name resolution as
> the primary and only then the ISP's DNS server.

If you have other servers on the network, why can you not move the caching
DNS to one of them?

If you are behind an NAT device, you really need DNS servers separated from
the public servers to resolve the NAT'd, private addresses. If this server
is also behind NAT, it needs to use a DNS server that can resolve internal
and internet addresses, too.

> Why would recursion be a security risk in this scenario?

The DNS Stuff people give about the best explanation I've heard:
DNS Stuff Fixing Open DNS Servers: http://www.dnsstuff.com/info/opendns.htm


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================