LSASRV SPNEGO event in System log

Discussion in 'DNS Server' started by Guillaume Tamisier, Jul 10, 2004.

  1. Hi,

    Every hour, I have the following event in my system log :

    -----------------------------------
    Event Type: Warning
    Event Source: LSASRV
    Event Category: SPNEGO (Negotiator)
    Event ID: 40961
    Date: 10/07/2004
    Time: 01:06:50
    User: N/A
    Computer: GOLIATH
    Description:
    The Security System could not establish a secured connection with the server
    DNS/ns7.gandi.net. No authentication protocol was available.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 8b 01 00 c0 ?..À
    -----------------------------------

    My DNS server is private, and I don't want to replicate its entries with
    public DNS servers on the internet.

    However, my private domain name exists on the internet, and is served by
    ns7.gandi.net. So I think that my internal DNS server tries to replicate
    with it. How can I disable this ? The records in my DNS server are private,
    and I don't want them to be replicated.
     
    Guillaume Tamisier, Jul 10, 2004
    #1
    1. Advertisements

  2. In
    This is not replication causing this, it is caused from your Domain
    Controller trying to register in the public zone. For Active Directory you
    need a local DNS server and you must use its address only in TCP/IP
    properties. Never use your ISP's DNS in any posistion, on any AD Domain
    member.
    This can also be caused from trying to register its PTR record in a public
    DNS.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht Sr. [MVP], Jul 10, 2004
    #2
    1. Advertisements

  3. Guillaume Tamisier

    Roger Abell Guest

    The only place where outside DNS server IPs should
    appear, if so optionally desired, is as Forwarder(s) in
    the properties of your DNS server. No other location
    anywhere in the domain, on no machine, should those
    IPs be used as DNS servers.
     
    Roger Abell, Jul 10, 2004
    #3
  4. Hi and thanks for your answer,

    That is exactly the problem : I don't want my AD Domain Controller trying to
    register in the public zone ! My DNS server is local and I only use its
    address in TCP/IP properties of my computers.

    But the domain name I use (unfortunately) exists in the public DNS system. I
    guess this is the origin of the problem. How can I disable the registration
    of its PTR record in a public DNS ?

    Thanks.
     
    Guillaume Tamisier, Jul 11, 2004
    #4
  5. The DNS server ns7.gandi.net does not appear in my configuration !!! I never
    use this DNS server for DNS name resolution on my computers. So I don't even
    know how the AD DNS server has found the name ns7.gandi.net !?!

    --
    Guillaume Tamisier


     
    Guillaume Tamisier, Jul 11, 2004
    #5
  6. In
    You can't stop PTR registration on just one interface, so you'll have to
    stop it on all interfaces. PTR registartion is not needed anyway so just
    stop it altogether. The instructions are in this article:
    246804 - How to enable or disable dynamic DNS registrations in Windows 2000
    and in Windows Server 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;246804&Product=winsvr2003



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht Sr. [MVP], Jul 11, 2004
    #6
  7. Guillaume Tamisier

    Roger Abell Guest

    It has likely found it because you are allowing external
    DNS servers to be used, and by use of them it has found
    that that DNS server is SOA for the zone in which it is
    supposed to register.
    Do not allow any AD member to use public DNS servers
    unless you know what you are doing and intend for your
    AD zones to be in the public space.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
     
    Roger Abell, Jul 12, 2004
    #7
  8. Hi Guillaume ,

    Thanks for your posting here.

    I would like to recommend that you create internal DNS server and point all
    your DCs and clients to the internal DNS server. If you need to resolve
    names on the Internet, the DNS server must have a forwarder configured.

    Please refer to the following documents for the detailed information:

    237675 Setting Up the Domain Name System for Active Directory
    http://support.microsoft.com/?id=237675

    816584 HOW TO: Set Up the Domain Name System for Active Directory in Windows
    http://support.microsoft.com/?id=816584

    323380 HOW TO: Configure DNS for Internet Access in Windows Server 2003
    http://support.microsoft.com/?id=323380

    Have a nice day!

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 12, 2004
    #8
  9. Guillaume Tamisier

    Guest Guest

    Guest, Jul 13, 2004
    #9
  10. Guillaume Tamisier, Jul 13, 2004
    #10
  11. Hi Bob,

    My configuration correponds exatcly to the one you describe. The only
    difference is that I have not configured forwarders because I prefer that my
    DNS server resolves the DNS names from root servers (thus, I do not depend
    on the DNS servers of my ISP). Does this difference explain this error ?
     
    Guillaume Tamisier, Jul 13, 2004
    #11
  12. All my AD members use the DNS server of my DC (which is private). However,
    my public domain name (which is identical to my private domain name) points
    to the public IP address of my network. So the domain name exists twice : on
    the internet and in my private network. But because my DNS server is not
    accessible from the outside of my network, my network is normally not
    visible from the internet and my internal network is not supposed to query
    the DNS server which serves my domain name (I hope I'm clear...).
     
    Guillaume Tamisier, Jul 13, 2004
    #12
  13. In
    The chances are close to 100% this is your DC trying to register its PTR
    records, if you have a public IP address on your NIC.
    It will not be trying to register in the public forward domain zone, if you
    don't have your ISP's DNS listed in TCP/IP properties.

    It would not be recommended for you to create a reverse lookup zone for your
    public IP address, unless it has been delegated to you by your ISP. You will
    need to stop the PTR registration as I noted in my reply.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht Sr. [MVP], Jul 13, 2004
    #13
  14. Yes, I have two NIC on my DC (one public, one private). You seems to be
    right : the DNS server of my ISP is listed in the TCP/IP properties of my
    public NIC because this interface uses DHCP. How can I stay using DHCP but
    not using the DNS servers the DHCP response indicates (I only need an IP
    address, network mask and gateway address).

    (I've not created a a reverse lookup zone for my public IP address.)
     
    Guillaume Tamisier, Jul 14, 2004
    #14
  15. In
    Manually add your local DNS in TCP/IP properties of the public NIC, but let
    DHCP assign the IP address.

    In addition, Multi-homed Domain controllers are problematic and require some
    extra configuration.

    Do these things:
    1 Bindings- Check the binding order of your NICs, Right click on network
    places, choose properties, In the Advanced menu select Advanced settings,
    make sure your internal interface is at the top of the connections list and
    that only the internal interface has file sharing and Client for MS Networks
    in the bindings pane.

    2 DNS listener addresses- Use the DNS management console choose the
    properties of the DNS server, on the interfaces tab select "Listen only on
    these addresses" with the IP of the internal interface.

    3 LDAP IP addresses- By default the netlogon service on Domain controllers
    will register (same as parent folder) Host records for all IP addresses on
    the machine, if you have a public address on the machine that you do not
    want File Sharing enabled on, you also do not want the (same as parent
    folder) host for its IP address. This record is used for the domain DFS
    SYSVOL share at \\<domainname>\SYSVOL What you have to do, is stop the
    creation of these records then manually create the record for the private
    IP.
    In addition, if this is your forest root DC, and it is also a Global Catalog
    server, so it also creates a (same as parent folder) host in the
    gc._msdcs.<forestroot> for each IP you will also need to stop this and
    manually create the (same as parent folder) record for the internal IP
    there, too.

    Here is the registry entry to stop these records and don't forget to
    manually create these records.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Registry value: DnsAvoidRegisterRecords
    Data type: REG_MULTI_SZ

    LdapIpAddress
    GcIpAddress


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht Sr. [MVP], Jul 14, 2004
    #15
  16. Hi Guillaume,

    How do you set the DNS server to query the internet name space from root
    servers? If you just put your ISP's DNS or other Public DNS server in the
    network settings of DNS server or DC, it will try to register in the public
    DNS server. You can just point it to your internal DNS and set a forwarder.

    Best regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 14, 2004
    #16
  17. I manually added my local DNS (127.0.0.1) in TCP/IP properties of the public
    NIC, but let
    DHCP assigned the IP address... and the problem is gone. I no more have
    errors in my system log !

    Thanks everybody for your help !
     
    Guillaume Tamisier, Jul 15, 2004
    #17
  18. Our pleasure!

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 16, 2004
    #18
  19. Guillaume Tamisier

    Roger Abell Guest

    No public DNS server configured for use, problem gone.
     
    Roger Abell, Jul 19, 2004
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.