Thursday, September 25, 2008

UK Active Directory User Group - Inaugural Meeting

There was a post on the ActiveDir.org mailing list regarding the UK Active Directory User Group's Inaugural Meeting.

I'm very much looking forward to it. It looks like it will be an interesting evening and will an opportunity to meet some of the names that regularly appear on the ActiveDir list.

For details see the home page at http://adug.co.uk/

Tuesday, September 23, 2008

LSASRV SPNEGO EventID 40960

Following an issue with time synchronisation resulting from a customer accidentally forwarding time by 3 months on a production Domain Controller, the following events were being logged even after the time was correctly synchronised across all domains in the forest.

Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Description:
The Security System detected an authentication error for the server DNS/DC.domainname.rootdomainname.local. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.
(0xc0000133)".


These authentication related errors were being logged as a side effect of attempts to register records in DNS, update group policy and so on. The error could be generated by a ipconfig /registerdns or GPUpdate /force

A DC in the root domain had an atomic clock attached to it but was NOT the PDCe for the root domain.

The time synchronisation settings were set so that all DCs in the forest were obtaining time from the DC with the atomic clock.

So this was not as per Microsoft best practice. Therefore we rearranged things to bring them into line with best practice organising the hierarchy as default.

While the servers time was in sync, we obtained the following information which eventually resolved the errors :
w32tm /config /update
w32tm /resync

Restart the machine.

If the issue persists. Verify the time zone settings on the client and the
domain controller.

Finally run the following command on the client:

net time \\ /set /yes

A combination of one or more of the above finally resolved these errors.

Keywords : LSASRV SPNEGO EventID 40960 time synchronization synchronisation