2003 server having time, DNS and sharing issues

I have a single 2003 server standard, SP2 running AD and Exchange 2003.  At this time it is the only server, with only one client computer.

Starting with a reboot, I get the following in the system event log:

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            6/16/2008
Time:            9:57:06 AM
User:            N/A
Computer:      ServerName
The Security System detected an authentication error for the server LDAP/Localhost.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

0000: 5e 00 00 c0               ^..À    

Followed quickly by:

Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      17
Date:            6/16/2008
Time:            9:57:08 AM
User:            N/A
Computer:      ServerName
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

Exchange seems like it is behaving fine as far as mail sending/receiving , but is returning these errors in the application event log:

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8026
Date:            6/16/2008
Time:            9:50:54 AM
User:            N/A
Computer:      ServerName
LDAP Bind was unsuccessful on directory servername.mydomain.org for distinguished name ''. Directory returned error:[0x34] Unavailable.    

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2102
Date:            6/16/2008
Time:            9:50:54 AM
User:            N/A
Computer:      ServerName
Process MAD.EXE (PID=2232). All Domain Controller Servers in use are not responding:

I can browse the internet fine from this machine.  DNS is pointing to itself.  I can map to shareds on this machine, but get access denied when trying to view them.  Automatic mappings do not show up at all.

I have followed MS KB article: http://support.microsoft.com/kb/816042 to try and get the time services issue fixed, to no avail.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Darius GhassemCommented:
EddyGurgeAuthor Commented:
I've read that, but it doesn't really address any of the problems the server is currently having.  I included them for completeness, but I'm still having a number of issues on the box.  I'm really leaning toward some kind of funky DNS issue, but I just don't know.
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Darius GhassemCommented:
From a command prompt try running netdiag /fix this could
repopulate the dns records for your dc

If you don't have the support tools installed, install them from your server
install disk.

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located in the download section on my website at

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages
kadadi_vIT AdminCommented:
DId you check your DNS server is working properly using netdiag.exe utility...chek it passes the all tests and IF your are using the Internal DNS server ten check the primary DNS address of the server and at cleint should be local ip address of the DNS server and ISP DNS address in forwarders tab of the DNS server console.

More INfo:-



Vijay Kadadi
EddyGurgeAuthor Commented:
Just ran the netdiag /fix, and the verbose netdiag and dcdiag.  No failures in any of them.  There is only this one DC, no other servers. The client is using the ip of the server, and can do DNS lookups just fine.

As an example though, if I run a w32tm /resync I get:
The computer did not resync because no time data was available

It's set to use time.nist.gov,0x1

There were some issues where the clock got set off a day for a while.  (never ask your wife what the date is when working on a server...) but the time shows correctly now, and has been rebooted quite a few times since it was fixed.
Darius GhassemCommented:
Try looking at this.

Based on my research, there are many factors which may cause the 40960

1. Computer account in parent domain with same name as child DC.
2. RPC Locator service was off on DC.
3. Secure dynamic updates failing if pointing to a DNS server that doesn't
support secure updates, Unix, etc.
4. NT4Emulator register value set to 1 on DC.
5. DHCP client service is disabled.
6. Time skew.
7. Kerberos UDP packet fragmentation.
8. Broken secure channel.
9. No reverse lookup zone for the DNS server.
10. Missing SPN.
11. Invalid cached credentials being used.
12. SAM account name of one account same as UPN of another account
EddyGurgeAuthor Commented:
1.  Only server in the domain, so this shouldn't be it
2. RPC Locator was off and set to manual, started it, and changed it to automatic
3. Not sure I'm following you on that one
4. I don't see that in the registry, is it located somewhere else?
5. DHCP client service is enabled & runnning
6. Time is correct on the server
7. Not sure how to check for that
8. Not sure how to check for that
9. Reverse lookup zone exists
10. Not sure how to check for that
11. Not sure how to check for that
12. Not sure how to check for that

Still no changes in errors or problems :(
Darius GhassemCommented:
Post the reports from the netdiag and repadmin. I need to look at a couple of things.
EddyGurgeAuthor Commented:
I've not even run repadmin, so I'm not sure what you want there.  Here is the netdiag:

    Computer Name: servername
    DNS Host Name: servername.mydomain.org
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 23 Stepping 7, GenuineIntel
    List of installed hotfixes :

Netcard queries test . . . . . . . : Passed
    [WARNING] The net card '1394 Net Adapter' may not be working because it has not received any packets.

Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : servername
        IP Address . . . . . . . . :
        Subnet Mask. . . . . . . . :
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server ''.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully
Darius GhassemCommented:
Put the DNS server IP address as Had a problem with the local loopback address being in for the DNS before.
EddyGurgeAuthor Commented:
I have the nic set using the local ipaddress ( which it has been set to all along.  Are there any secondary places to set that?  I was kinda surprised to see the localhost listed there myself.
Darius GhassemCommented:
Check in DNS to see if it's listed there. Also, check in the TCP\IP settings that isn't listed any where. Look under the Alternative settings and advance settings.
EddyGurgeAuthor Commented:
I went ahead and removed and recreated the DNS server.  The proper address now shows in netdiag, but everything else is still messed up as above.
Darius GhassemCommented:
Have you done a ipconfig /flushdns on the server? Run this to netdiag /fix.
EddyGurgeAuthor Commented:
Yeah, I've done them.  No luck.

I installed this server about a week and half ago.  It know it was working fine then.  I had since played around with RPC over HTTP and certificate server stuff.  I removed all that in add/remove programs last night, hoping it would fix the problem that my playing around might have caused.  I'm wondering if it has anything to do with my messing around blindly.
Darius GhassemCommented:
look at the fourth one down on this post.

Darius GhassemCommented:
Here are a couple of more things to look at.

It is possibly a problem with the DNS dynamic updates registration credentials that the DHCP server supplies.

Go to the MMC for DHCP and bring up the server Properties, Advanced tab, Credentials and make sure the username and password are correct.

Windows Server 2003 is set to sync the time with an NTP server called time.windows.com I dont know if this server is no longer up but it does not respond to a simple ping. I changed my NTP server to point to one of the USNO servers and these errors stopped.

net time /setsntp:tock.usno.navy.mil
EddyGurgeAuthor Commented:
Just about to drive home, where I'll be happy to continue on this.  Just a note before I go, I'm not running DHCP on this machine.
EddyGurgeAuthor Commented:
I'm ready to try just about anything short of a reinstall.  I really want to avoid that.
Off the wall question here - are you running Server 2003 or Server 2000?

Also off the wall, when I've seen the LSASVR and 40961/9 errors, the solution was to remove the workstation from the domain and re-add it (just drop to workgroup, re-add to the Domain - THEN - reboot the workstation).

Then start and stop the workstation time service.

Are either the Server or Workstation dropping into any kind of 'sleep' or 'hibernation' mode?
Also - you only posted this in one Zone, but you can have it in three.

Verify the Server OS and we can get a Mod to add it to two more.
EddyGurgeAuthor Commented:
Not ignoring you here.  The kerberos thing might have gotten me going, or at least looking in the right spots.  Now I'm just trying to get it all together and see where we are.  Numerous client and server reboots going on, id changes, and some other stuff.
EddyGurgeAuthor Commented:
I'll continue this in the morning, but several things are most definitely working better now.
Disable Windows firewall. That should do in these errors.

You asked if there are any other DNS places to fix:
1) TCP/IP configuration of your server's nic
2) router's list of prefered DNS servers should be your DNS server
3) Your DNS address in host A accounts
4) DHCP configuration of DNS servers

You need to weed out that 127 loopback address:

So, once done with getting your configurations straight, go to the server's command prompt and type:
Ipconfig /flushdns
IPconfig /registerdns
net stop netlogon
net start netlogon

Then, go to the client's command prompt and type:
Ipconfig /flushdns

Assuming you have DHCP activated on your server, also type:
Ipconfig /release
Ipconfig /renew
Ahh, good point VMOD. Thanks!

How about some information to reconfigure Windows firewall to allow LDAP and Time services to function correctly?


The time error is because time is trying to synchronize prior to the Directory service up.
~~~ http://support.microsoft.com/kb/823712/en-us
SPnego error comes from being unable to communicate with an LDAP server.
~~~ http://support.microsoft.com/kb/823712/en-us
Exchange comes from the directory service not avail.
~~"Directory returned error:[0x34] Unavailable."

So, everything rides on the LDAP port open and the directory service set to automatic and started.  All of these errors say the same thing, they can't contact the domain controller LDAP.   I think this is a result of Windows firewall.
EddyGurgeAuthor Commented:

It is 2003 as stated.  Not sure why netdiag would say 2000, but it is 2003, SP2.  
Also, no additional firewall software or antivirus yet.


I'm sorry I missed your posts last night, and I didn't know about the multiple zones possibilities on questions.  I'll keep that in mind!


I hate to say it, but the DNS removal/reinstall fixed the DNS complaints to a large degree, and was done before your post, but thanks for chiming in!


Everything is now running fine.  It was a two (or three) part issue I'm guessing.  The Kerberos fix you linked was definitely part of the problem (and fixed the time sync issues right away), and got the rest of the ball rolling.  

The other issue appears that the client computer's user id was corrupt in AD in some fashion.  I deleted it, and created a new ID, and that fixed the mapping issues.  Time and DNS are working perfectly also.  

I'm only guessing here, but I'm going to put it down to time issues, and the clock getting messed up several times during and after install, which messed up internal authentication for the admin account, and the other userID.

Thanks for the help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.