Cannot find domain controller

Discussion in 'Active Directory' started by Yakob, Nov 7, 2007.

  1. Yakob

    Jorge Silva Guest

    Please see inline
    Yes I know and you both moved out from the real problem.
    Incorrect, it's not bad configuration but rather default behavior. Of course
    you can change that.
    Incorrect again, they try by default to register the PTR records.
    Sure they do. The problem is that the error is logged because they are
    trying to reach to an un-authorized server, the error may be misleading, but
    the error is logged because of that.
    Lol.
    Other than this??!!!
    I don't know what type of network you're running, but in my client's network
    the Apps are most critical to keep the network users running, and if that
    stops, all users will stop working and that would be a major problem, so,
    sounds to me that is more than 1 reason to create PTR records and Reverse
    lookup zones. Networks don't run only Microsoft products you know...
    There're many other products that may run in that same physical network, in
    my case I work toguether with other technologies (Unix, HP Ux, Solaris,
    Linux, ...) and in some cases we need to integrate them with MS technology
    so everyone can work happy, think about that when you say there's NOTHING
    more to be used with this or that....

    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 17, 2007
    #21
    1. Advertisements

  2. Yakob

    Jorge Silva Guest

    Hi Ace,
    If I recall correctly cleaning the Roothints also solves the problem (not
    100% sure)
    Of course the most logical and fast way to solve this is to create the
    Reverse lookup zone.

    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 17, 2007
    #22
    1. Advertisements

  3. In
    And you know, I still agree with that. Create the reverse zone and make sure
    a PTR exists, and the error will go away, no matter what.
     
    Ace Fekay [MVP], Nov 18, 2007
    #23
  4. OK guys,
    Can you point to any MS KB that confirms this?
    Or any MS document at all? The answers probably no. Ace, I'm sure, has
    scoured the web for this and if he'd found anything, he'd have posted it.
    All I'm saying is what you've observerved has no logical explanation wrt
    Kerberos or obtaining a ticket for a service. You dont need PTRs for that.
    There is actually a GPO setting to disable the registration of PTR records
    because you can work fine without them ( Jorge, I don't know of any LOB app
    that requires this and I also work in multi-platform envs.) and you can find
    it at: Computer Config\Admin Temp\Network\DNS Client\Register PTR Records.
    Set the property to Disabled and you're done.

    Ace, with regard to KB 259922, the second fix is to disable reverse lookups.
    Would it be a suggested fix if it broke stuff? I like to have a logical
    reason for things I do and not just because "we've always done it that way".
    The Logic for why you must register PTR records is whats missing here. the
    KB even says disabling the registration of PTR records reduces unnessary
    network traffic!
    You can register them yes. but do you need them? answers likely to be no.

    Regards,

    Austin
     
    Austin Osuide, Nov 19, 2007
    #24
  5. Yakob

    Jorge Silva Guest

    The answers likely to be no, because you don't want to see the light...
    Problem:
    By default the client tries to register the PTR, if you don't have a
    Reverselookup zone created the DNS will try to register those PTR in other
    DNS that knows about that IP range, as a sequence of that action and because
    you can't do registrations on those DNS servers a error is logged.
    Solution:
    Create a Reverse Lookup Zone.
    If you don't want to ahve a Reverse Zone, configure the clients not to
    register the PTR records, via GPO, registry, whatever... As long as the
    clients is not trying to do that no error will be logged.
    DONE!!!
    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 19, 2007
    #25
  6. Nice of you to tell us again Jorge :)
    If you want to contribute to the debate, it was about "the importance/use of
    PTR records in Kerberos communications".
    My comment on that was that it's not required unless you have specific
    application requirements.
    As a fix for the 40960 and 40961 errors, registration of PTR records should
    be the last thing you suggest UNLESS the event also includes a mention of an
    attempt at registering on prisoner.iana.org WHICH WAS NOT THE CASE HERE (and
    you can explain why that event id would occur if a dynamic update is carried
    out on a server that doesn't trust you) .

    A 40960 error is a generic error which means "I have tried to talk to you
    using our agreed protocol of Kerberos (the negotiation component) and
    authentication has failed". That's all that event id means and it can be
    generated by a myriad of causes as eventid.net shows.

    I hope you'll see the salient points here.

    Regards,

    Austin
     
    Austin Osuide, Nov 19, 2007
    #26
  7. Yakob

    Jorge Silva Guest

    The errors posted by the poster are related (in my experience) by not having
    the Reverse Lookup Zone, creating a reverse lokup zone should fix it.
    And yes I'm not trying to do a debate about kerberos/PTR.
    I'm just reporting direct solutions to the problem.

    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 19, 2007
    #27
  8. Jorge,
    In this case the poster, now long gone :), said he had reverse zones setup
    correctly. So, your experience des not match this scenario. Case closed I
    guess.

    Regards,

    Austin
     
    Austin Osuide, Nov 19, 2007
    #28
  9. Yakob

    Jorge Silva Guest

    You probably right but I don't see any post saying that.

    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 19, 2007
    #29
  10. To quote Yakob's posting of the of the 7th at 09:07:

    <quote>

    C:\Documents and Settings\gtg.PROGRESSIVE>
    reverse DNS is created
    AD DNS progressive.local

    When try to open Outlook warnings in System log: source LsaSrv Event ID
    40960 and 40961 category: SPNEGO (Negotiator) ,repeatdly and source Kerberos
    Event ID 10 category none appears once.
    When user logs on in the Application log source Userenv, event id 1054.

    Hope we can find the answer.

    </quote>

    So, you see? Not a reverse lookup registration issue apparently.
    The reflex action of attributing all cases of 40960/40961 errors to PTR
    registrations is wrong. Also, if you understand how DNS works and why you
    use PTR records, you'll see you can live without them. Sometimes. Yes, some
    diagnostic tools will barf but it hardly ever results in loss of
    functionality if you don't have them set. As I mentioned earlier, the
    initial DNS rfcs' don't even mention PTR records and in the MS KB we
    reviewed earlier, a second option is to turn off the registration to reduce
    unnecessary network traffic.
    Just trying to share my view of the problem and solution.

    Regards,

    Austin
     
    Austin Osuide, Nov 20, 2007
    #30
  11. Yakob

    Jorge Silva Guest

    Hum...

    Interesting, I will have to do some tests and I'll come back with some
    results... (when I get some time to do that)

    But again, last time I saw this errors, the solution was to create a Reverse
    Lookup Zone.

    I under if the Reverse Zone that the poster created was allowing Dynamic
    Registrations


    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 20, 2007
    #31
  12. In
    Ahh, not trying to pick the post, but he said he has a reverse zone, however
    didn't mention if a PTR existed. Of course we'll assume one exists and this
    brings us back to square one.

    There is one other thing that I've seen this associated with. It's something
    in the security policy of the local DC that could be causing it.
    Interestingly enough, we saw on XP desktops getting 40960 and 1058 errors. A
    PTR exists for it too. A restart fixes it. There is a KB fix that addresses
    it. I'm not saying it is related or not, but an interesting issue. I have to
    dig up my notes on this one. I'll post back.

    Ace
     
    Ace Fekay [MVP], Nov 20, 2007
    #32
  13. In
    I wouldn't go by disabling reverse registration as the article suggests. I
    would assume that if the zones are created and configured properly, there
    would be no reason that it is trying to reg it's own IP elsewhere other than
    to it's own zone.

    Ace
     
    Ace Fekay [MVP], Nov 20, 2007
    #33
  14. Hi Ace,
    The question again is why?
    Remember that reverse zones are not automagically created. You have to go do
    it yourself.
    All I'm asking is what is the logic behind your action. Do you have an app
    that needs to resolve IP addresses to hostnames? After all, that's what the
    zones are there for and if you don't need it, why set it up? It's a totally
    different matter though if YOU DON'T KNOW if you need them or not and you're
    just covering all the bases.

    Regards,

    Austin
     
    Austin Osuide, Nov 20, 2007
    #34
  15. Bingo!
    As I said earlier, It's a generic event that's thrown when negotiated auth
    fails.
    You potentially could have a host of causally related factors at play here.
    Understanding what the error means allows you, in addition to other events
    generated at the time to work through a logical differential diagnosis
    process and removes guess work.

    Regards,

    Austin
     
    Austin Osuide, Nov 20, 2007
    #35
  16. In
    That could be true, a coincidental, yet somewhat related event? All I know
    in most cases, for whatever reason, it's a fix, weird or unorthodox as it
    is.

    :)

    Ace
     
    Ace Fekay [MVP], Nov 21, 2007
    #36
  17. Yakob

    Jorge Silva Guest

    Okay, I did some testing on this and here are my conclusions:
    - The 40960 and 40961 are or may be cause by NOT HAVING the Reverse Lookup
    Zone (Sounds like my expirience still counts)
    - If the Reverse lookup zone was created make sure that allows dynamic
    updates, and that you don't have nothing between the server and the client
    that is preventing the communication, like a firewall.
    - The Kerberos error may by caused by Firewall issues, or communication
    problems, since that we're talking about SBS, my guess is that someone
    messed with SBS Firewall, or some other third party solution that does the
    same thing.


    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 21, 2007
    #37
  18. Yakob

    Jorge Silva Guest

    Just another thing, the fact that you have 40960 and 40961 category: SPNEGO
    (Negotiator) ,repeatdly and source Kerberos Event ID 10 category none
    appears once. That doesn't mean that everything is related with Kerberos,
    That means that you have 1 event for Kerberos and the other events are
    related with the problem that we all know about (Except Austin of course ;))


    --
    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Nov 21, 2007
    #38
  19. Hi Jorge,
    In your tests, did the event details mention an attempt to register at
    prisoner.iana.org?
    If they did, as I mentioned earlier, it can be explained easily and I have
    not disputed the fact that this can occur. In fact, iirc, a KB article
    describes this sit.
    The issue is: Why have you configured reverse lookups? The answer might as
    well be: I dunno. I have always done it that way.
    All I'm asking for is a justification/logic for the setup. You can prevent
    your clients from attempting to register PTRs with a GP setting ( as the KB
    say's, to reduce unnecessary traffic) in order to prevent the errors being
    generated.

    In this case, we've had no indication that PTR records were not being
    registered and we do have 40960/1 events generated.
    I think you need to assess the situation a bit better before jumping to the
    PTR resolution.

    Regards,

    Austin
     
    Austin Osuide, Nov 21, 2007
    #39
  20. Just Reading this post again Jorge and I'm not sure what you mean...
    Those Event ID's are all related to Kerberos issues. Event id: 10 with a
    Kerberos source indicates an inability to obtain a Kerberos ticket.
    Read my earlier post about what the event id: 40960/40961 errors mean.

    Regards,

    Austin
     
    Austin Osuide, Nov 21, 2007
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.