Microsoft KB Archive/824217

= LSASRV Event IDs 40960 and 40961 When You Promote a Server to a Domain Controller Role =

Article ID: 824217

Article Last Modified on 10/26/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows XP Professional

-





SYMPTOMS
When you restart your Windows Server 2003-based computer after you promote it to the role of domain controller, the following events may appear in the System log of Event Viewer:

Event Type: Warning

Event Source: LSASRV

Event Category: SPNEGO (Negotiator)

Event ID: 40960

Date:

Time:

User: N/A

Computer:

Description: The Security System detected an authentication error for the server ldap/dca.acc.local. The failure code from authentication protocol Kerberos was &quot;There are currently no logon servers available to service the logon request. (0xc000005e)&quot;.

For more information, see Help and Support Center at http://support.microsoft.com.

Data: 0000: c000005e

Event Type: Warning

Event Source: LSASRV

Event Category: SPNEGO (Negotiator)

Event ID: 40961

Date:

Time:

User: N/A

Computer:

Description: The Security System could not establish a secured connection with the server ldap/. No authentication protocol was available.

For more information, see Help and Support Center at http://support.microsoft.com.

Data: 0000: c0000388



RESOLUTION
If the errors only occur after the server has been rebooted, it is likely that a service is attempting to authenticate before the directory service is available.

823712 Event IDs 40960 and 40961 in the System event log when you restart Windows Server 2003 after you run Dcpromo.exe



MORE INFORMATION
The Negotiate Security Package is a specialized Security Support Provider (SSP) that acts as an application layer between the Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log a security principal onto a network, it can specify an SSP to process that request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle it. On a default install of Windows Server 2003, the Negotiate SSP will submit the logon request to Kerberos first as that is the preferred authentication protocol because, among other things, it supports mutual authentication. If Kerberos cannot process the request, Negotiate will fall back on NTLM. If, however, Kerberos can process the logon request, and the request fails with an authoritative error, Negotiate will not fall back on NTLM. The Negotiate SSP will log a 40960 event in the System log and include the error returned by Kerberos to explain why the logon request failed.

Event 40960 only logs the error returned by Kerberos. It does not log the name of the principal or the name of the client. In order to obtain this information, auditing for User Logon Failures must be enabled. By looking at the logon failure audit event logged at the same time as the SPNEGO event, more information about the logon failure can be obtained.

Additional query words: DS frs dcpromo w32time

Keywords: kbprb KB824217

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.