DNS event

Sever 2003 r2 SP2 Running IIS this is our webserver
TCPIP properties for the NIC that is on "the inside" do have correct IP
addiress of the ML570g3dc this is our domain controller that hosts the DNS
service

I am no tsure here who is actually doing the login or whythere is a failure



Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 5/6/2009
Time: 11:54:15 PM
User: N/A
Computer: ML350G5WEB
Description:
The Security System detected an authentication error for the server
DNS/ml570g3dc.administration.eriecountygov.org. The failure code from
authentication protocol Kerberos was "There are currently no logon servers
available to service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À

"Dan DeCoursey" <> wrote in message
news:60A85180-26EB-4021-87A0-...
> Sever 2003 r2 SP2 Running IIS this is our webserver
> TCPIP properties for the NIC that is on "the inside" do have correct IP
> addiress of the ML570g3dc this is our domain controller that hosts the DNS
> service
>
> I am no tsure here who is actually doing the login or whythere is a
> failure
>
>
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 5/6/2009
> Time: 11:54:15 PM
> User: N/A
> Computer: ML350G5WEB
> Description:
> The Security System detected an authentication error for the server
> DNS/ml570g3dc.administration.eriecountygov.org. The failure code from
> authentication protocol Kerberos was "There are currently no logon servers
> available to service the logon request.
> (0xc000005e)".
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 5e 00 00 c0 ^..À
>


Hello Dan,

First, any reason the DC is multihomed? It is NOT a recommended
configuration. Multihomed DCs are problematic.

As for the LSASRV, that is usually caused by a lack of a reverse zone or no
PTR record for the machine. It can also be caused by a denied permission on
a user account or group in AD that will cause the error on the machine they
are logged on after the Kerberos ticket expires and they can't renew it. A
restart will fix this, unless the denial is removed.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Hi Ace,


The Web server has 1 NIC that is visable to the Internet and then other is
on our "inside network" is this not a standard way of having a Webserver "on
the cheap" ?? kind of like "half a DMZ"

I do have a RLUZ on the ML570g3DC (Our DNS server) for the 192.168.50.X
(this is the "internal network" and there is a PTR record for 192.168.50.45
( the ML570g3Dc box)

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Dan DeCoursey" <> wrote in message
> news:60A85180-26EB-4021-87A0-...
> > Sever 2003 r2 SP2 Running IIS this is our webserver
> > TCPIP properties for the NIC that is on "the inside" do have correct IP
> > addiress of the ML570g3dc this is our domain controller that hosts the DNS
> > service
> >
> > I am no tsure here who is actually doing the login or whythere is a
> > failure
> >
> >
> >
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40960
> > Date: 5/6/2009
> > Time: 11:54:15 PM
> > User: N/A
> > Computer: ML350G5WEB
> > Description:
> > The Security System detected an authentication error for the server
> > DNS/ml570g3dc.administration.eriecountygov.org. The failure code from
> > authentication protocol Kerberos was "There are currently no logon servers
> > available to service the logon request.
> > (0xc000005e)".
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 5e 00 00 c0 ^..À
> >
>
>
> Hello Dan,
>
> First, any reason the DC is multihomed? It is NOT a recommended
> configuration. Multihomed DCs are problematic.
>
> As for the LSASRV, that is usually caused by a lack of a reverse zone or no
> PTR record for the machine. It can also be caused by a denied permission on
> a user account or group in AD that will cause the error on the machine they
> are logged on after the Kerberos ticket expires and they can't renew it. A
> restart will fix this, unless the denial is removed.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>

"Dan DeCoursey" <> wrote in message
news:6C6924B7-91C3-4F4A-9DBE-...
> Hi Ace,
>
>
> The Web server has 1 NIC that is visable to the Internet and then other is
> on our "inside network" is this not a standard way of having a Webserver
> "on
> the cheap" ?? kind of like "half a DMZ"
>
> I do have a RLUZ on the ML570g3DC (Our DNS server) for the 192.168.50.X
> (this is the "internal network" and there is a PTR record for
> 192.168.50.45
> ( the ML570g3Dc box)



Hi Dan,

No, a domain controller should not be multihomed, nor used as a web server.
Too dangerous to expose your DC on the internet, as you are doing. Plust it
being a DNS server, it causes issues with registration and multi identity of
the DNS server. It also puts the DC in multiple AD Sites. There are quite a
few exploits out there that allow an attacker access to the local machine,
in your case a DC, simply by manipulating commands in the webservice. Single
home it and get a cheapo server to run web services. Also, there is no need
to run a config as such even if it is just a webserver. The *standard* or
best practice method is to single home the machine (one NIC/IP), or team the
NICs (using the manufacturer's NIC software), and setup a simple port remap
in your firewall/router to forward port 80 traffic to the internal private
IP.

Multihomed DCs are basically problematic and cause functionality issues with
Active Directory, as you are seeing. YOu can search on multihomed DCs in
Google and you can see the multiple issues that arise.

Also, I am not sure what DNS addresses are in the NIC properties. Can you
post an unedited ipconfig /all of this machine, please?

Ace

We got our "wires crossed " as this discussion goes on.....

I have webserver running Server 2003r2 w/IIS This webserver is
multihomed as I discribed in the last message.

In this webservers Event log, there is this event I pasted into the 1st
message....it mentions DNS/ML570g3DC ( that box "ML570g3DC is our domain
controller and it aslo runs our DNS )

So I was trying to figure out and decipher the verbiage in the Webservers
Event log......... not being able to satisfy some sort of authentication
request...I want to know who is requesting what from who and as it sits now I
am no farther down the road in figuring this out as I was day one....... It
sounds to me that the Webserver's Security System detects an authentication
problem from my DC's DNS server trying to login to thre Webserver ? And the
Webserver says " sorry no logon server is available to service your requests.
So the question begs " is this "dns server loggin inotthe webserver just
normal mechanics and if so why is there no "logon server" avaiable on the
webserver to satisfy the request ?



I dont knpw much about what goes on "under the covers" with DNS servers and
logon serversd and all these detiais

thanks

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Dan DeCoursey" <> wrote in message
> news:6C6924B7-91C3-4F4A-9DBE-...
> > Hi Ace,
> >
> >
> > The Web server has 1 NIC that is visable to the Internet and then other is
> > on our "inside network" is this not a standard way of having a Webserver
> > "on
> > the cheap" ?? kind of like "half a DMZ"
> >
> > I do have a RLUZ on the ML570g3DC (Our DNS server) for the 192.168.50.X
> > (this is the "internal network" and there is a PTR record for
> > 192.168.50.45
> > ( the ML570g3Dc box)
>
>
>
> Hi Dan,
>
> No, a domain controller should not be multihomed, nor used as a web server.
> Too dangerous to expose your DC on the internet, as you are doing. Plust it
> being a DNS server, it causes issues with registration and multi identity of
> the DNS server. It also puts the DC in multiple AD Sites. There are quite a
> few exploits out there that allow an attacker access to the local machine,
> in your case a DC, simply by manipulating commands in the webservice. Single
> home it and get a cheapo server to run web services. Also, there is no need
> to run a config as such even if it is just a webserver. The *standard* or
> best practice method is to single home the machine (one NIC/IP), or team the
> NICs (using the manufacturer's NIC software), and setup a simple port remap
> in your firewall/router to forward port 80 traffic to the internal private
> IP.
>
> Multihomed DCs are basically problematic and cause functionality issues with
> Active Directory, as you are seeing. YOu can search on multihomed DCs in
> Google and you can see the multiple issues that arise.
>
> Also, I am not sure what DNS addresses are in the NIC properties. Can you
> post an unedited ipconfig /all of this machine, please?
>
> Ace
>
>

"Dan DeCoursey" <> wrote in message news:A6E4E886-E316-4D3B-A25D-...
> We got our "wires crossed " as this discussion goes on.....
>
> I have webserver running Server 2003r2 w/IIS This webserver is
> multihomed as I discribed in the last message.
>
> In this webservers Event log, there is this event I pasted into the 1st
> message....it mentions DNS/ML570g3DC ( that box "ML570g3DC is our domain
> controller and it aslo runs our DNS )
>
> So I was trying to figure out and decipher the verbiage in the Webservers
> Event log......... not being able to satisfy some sort of authentication
> request...I want to know who is requesting what from who and as it sits now I
> am no farther down the road in figuring this out as I was day one....... It
> sounds to me that the Webserver's Security System detects an authentication
> problem from my DC's DNS server trying to login to thre Webserver ? And the
> Webserver says " sorry no logon server is available to service your requests.
> So the question begs " is this "dns server loggin inotthe webserver just
> normal mechanics and if so why is there no "logon server" avaiable on the
> webserver to satisfy the request ?
>
>
>
> I dont knpw much about what goes on "under the covers" with DNS servers and
> logon serversd and all these detiais
>
> thanks


Dan,

My previous post was trying to help explain a 'little' of what goes on with a multihomed DC and what happens under the covers including DNS issues that arise, as well as security concerns. I was just tyring to help you and others understand the ramifications, as well as exposing the DC on the internet. I was trying to point out the issues involving such a configuration, and to expect issues to arise due to this configuration. I can give you a full explanation of what really occurs, if you like, from an old blog.

As for the LSASRV issues, the LSASRV is indicative of a few things:

1. No reverse zone or no PTR for the machine.
2. The Kerberos ticket has expired and the machine cannot renew the ticket based on the user account that is logged in not having permissions to do so.
3. In conjunction with #2, an issue is present based on the multihomed configuration causing the machine not being able to 'find' itself (or authenticate) due to DNS settings. I see authentication errors with this type of configuration apparent with multihomed DCs.

Without an ipconfig /all, it will be difficult to tell if it is #2 or #3. However if reluctant to post them, I can understand. Here are some other ideas:
http://eventid.net/display.asp?event...LSASRV&phase=1
http://eventid.net/display.asp?event...LsaSrv&phase=1


Ace

Ace I appreciste your help,


Now that we are clear on the facts that my DC is not multihomed and is not
exposed to the internet I will look into those last items you listed

thanks

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Dan DeCoursey" <> wrote in message news:A6E4E886-E316-4D3B-A25D-...
> > We got our "wires crossed " as this discussion goes on.....
> >
> > I have webserver running Server 2003r2 w/IIS This webserver is
> > multihomed as I discribed in the last message.
> >
> > In this webservers Event log, there is this event I pasted into the 1st
> > message....it mentions DNS/ML570g3DC ( that box "ML570g3DC is our domain
> > controller and it aslo runs our DNS )
> >
> > So I was trying to figure out and decipher the verbiage in the Webservers
> > Event log......... not being able to satisfy some sort of authentication
> > request...I want to know who is requesting what from who and as it sits now I
> > am no farther down the road in figuring this out as I was day one....... It
> > sounds to me that the Webserver's Security System detects an authentication
> > problem from my DC's DNS server trying to login to thre Webserver ? And the
> > Webserver says " sorry no logon server is available to service your requests.
> > So the question begs " is this "dns server loggin inotthe webserver just
> > normal mechanics and if so why is there no "logon server" avaiable on the
> > webserver to satisfy the request ?
> >
> >
> >
> > I dont knpw much about what goes on "under the covers" with DNS servers and
> > logon serversd and all these detiais
> >
> > thanks
>
>
> Dan,
>
> My previous post was trying to help explain a 'little' of what goes on with a multihomed DC and what happens under the covers including DNS issues that arise, as well as security concerns. I was just tyring to help you and others understand the ramifications, as well as exposing the DC on the internet. I was trying to point out the issues involving such a configuration, and to expect issues to arise due to this configuration. I can give you a full explanation of what really occurs, if you like, from an old blog.
>
> As for the LSASRV issues, the LSASRV is indicative of a few things:
>
> 1. No reverse zone or no PTR for the machine.
> 2. The Kerberos ticket has expired and the machine cannot renew the ticket based on the user account that is logged in not having permissions to do so.
> 3. In conjunction with #2, an issue is present based on the multihomed configuration causing the machine not being able to 'find' itself (or authenticate) due to DNS settings. I see authentication errors with this type of configuration apparent with multihomed DCs.
>
> Without an ipconfig /all, it will be difficult to tell if it is #2 or #3. However if reluctant to post them, I can understand. Here are some other ideas:
> http://eventid.net/display.asp?event...LSASRV&phase=1
> http://eventid.net/display.asp?event...LsaSrv&phase=1
>
>
> Ace
>
>

"Dan DeCoursey" <> wrote in message news:F83CEDFB-7BCC-4AEC-924D-...
> Ace I appreciste your help,
>
>
> Now that we are clear on the facts that my DC is not multihomed and is not
> exposed to the internet I will look into those last items you listed
>
> thanks

Dan, re-reading your original post, I misinterpreted you saying that it was using your DC as a DNS address, which is the correct method, and never us an ISP, the router, or any other external DNS that doesn't have reference to the internal AD zone. The way it was written *appeared* to indicate you were saying that the multihomed web server is the DC. It was possibly the syntax, for I didn't see any periods, commas, etc, for me to better understand your post.

Anyway, I highly recommend single-homing the web server and using a simple port remap on your firewall for port 80, 443, etc, to the web server's internal IP, which is best practice. This gives you better security behind a NAT and control traffic. The way it is, the webserver is directly on the internet, which is Windows, a sought-out extremely popular operating system with 85% + market share, and targeted by 95% of the attackers out there.

Let me know how you make out.

Ace