LSASRV Event 40960 and Failure Audit Event 673 since Feb 2007

Discussion in 'Windows Server' started by Drew Govnyak, Jul 20, 2007.

  1. Drew Govnyak

    Drew Govnyak Guest

    We are in the single forest native 2003 domain. 2 Domain Controllers 30
    member servers. All 2003 Servers (members and dcs) have SP2 applied. Network
    has been up for the past 5 years. Since Feb 20th of this year. All of the
    2003 member servers started Logging Warning Event ID: 40960 from LSASRV at
    random days and times, but not frequently. The message logged is deceiving,
    it talks about time being different on one of the servers. (See below) The
    max time difference on my servers is 0.005ms (obtained form w32time
    /monitor), all servers except the PDC Emulator are configured to use Nt5DS
    under

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\
    key. I also found a Security Event ID 673 logged within 1 second of the
    Warning on the DC to which member server, logging Event 40960 authenticated
    to.

    My suspicion is KB931836 DST 2007 which was installed on Feb 20 of this year
    started this problem, but I am not 100% sure yet.



    Is anybody else having the same problem?



    Event ID: 40960

    The Security System detected an authentication error for the server
    cifs/dc1.ourdomain.local. The failure code from authentication protocol
    Kerberos was "The time at the Primary Domain Controller is different than
    the time at the Backup Domain Controller or member server by too large an
    amount. (0xc0000133)".



    Event ID: 673

    Service Ticket Request:

    User Name:
    [email protected]

    User Domain: MYDOMAIN.LOCAL

    Service Name:
    cifs/dc1.mydomain.local

    Service ID: -

    Ticket Options: 0x40810000

    Ticket Encryption Type: -

    Client Address: 172.16.8.26

    Failure Code: 0xB

    Logon GUID: -

    Transited Services: -
     
    Drew Govnyak, Jul 20, 2007
    #1
    1. Advertisements

  2. Hi Drew,

    When you NET TIME/QUERYSNTP on your PDC Emulator do you get the correct
    timesource, its not pointing back to itself or setup with Nt5DS is it?
    Also..sorry have to ask, your time is only 0.005ms different but is the day
    month and year correct? :) although if that were the case, im sure you
    would be having much larger issues, with your workstations and member
    servers not being able to share resources with your PDC. Are you having any
    network problems or are these log files currently the only sign of a
    possible issue?

    This TechNet article refers to the error 673 on your pdc...
    http://support.microsoft.com/kb/824905

    Coraleigh Miller
     
    Coraleigh Miller, Jul 25, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.