Prev: Error 333
Next: wbemess.log
From: Michael Easterly on
Tariq-

The only warning event that is coming up is 40968. The only event that is
being logged for time synchronization is informational;

Source: W32TIME
Event ID: 37
The time provider NtpClient is currently receiving valid time data from
ntp.uiuc.edu (ntp.m|0x1|131.230.210.129:123->130.126.24.24:123).

I set this up according to Article ID : 816042. Configuring the Windows Time
service to use an external time source.

I have also successfully synchronized other hosts to the DC as well.

This is the first DC in domain.

Yes I can reboot the system and send you the log files. Please send
instructions on where to send the information. Thanks!

"Tariq Azad" wrote:

> Michael-
>
> I am just curious if ot is possible for you to reboot the system, and then send me the Application and system log file for further analysis?
>
> Thanks,
>
> Tariq
> "Tariq Azad" <tariq_bin_azad(a)hotmail.com> wrote in message news:XridnVr7xu1I2oXZnZ2dnUVZ_sydnZ2d(a)giganews.com...
> Michael-
>
> Thanks for a prompt reply.
> I didn't get answers of my other questions. Do you have any other event even related with time syncronization? Is this a first DC in the domain? If this is a second / additional domain controller, then I would suggest you to build a new one, install OS, basic patches, Virus scan, (no service pack), and then see the results...
>
> Regards,
>
> Tariq
> "Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:862C950F-6654-4870-BE2D-DEA5703E7670(a)microsoft.com...
> I checked out the articles that you included with your last posting.
>
> The first article does not apply becuase the server is not logging events
> 1015 or 1000 as the article indicates.
>
> The second article doesn't apply either. Whereas SP1 includes 835732,
> (http://www.microsoft.com/technet/security/prodtech/windowsserver2003/sp1..mspx)
>
> I ran the baseline security analyser to see what hotfixes are installed and
> below are the results (Scanned with MBSA version: 2.0.5029.2):
>
> MS05-036 Security Update for Windows Server 2003 (KB901214)
> MS05-039 Security Update for Windows Server 2003 (KB899588)
> MS05-040 Security Update for Windows Server 2003 (KB893756)
> MS05-033 Security Update for Windows Server 2003 (KB896428)
> MS05-027 Security Update for Windows Server 2003 (KB896422)
> MS05-026 Security Update for Windows Server 2003 (KB896358)
> MS05-042 Security Update for Windows Server 2003 (KB899587)
> MS05-032 Security Update for Windows Server 2003 (KB890046)
> MS05-041 Security Update for Windows Server 2003 (KB899591)
> MS05-045 Security Update for Windows Server 2003 (KB905414)
> MS05-051 Security Update for Windows Server 2003 (KB902400)
> MS05-046 Security Update for Windows Server 2003 (KB899589)
> MS05-048 Security Update for Windows Server 2003 (KB901017)
> MS05-049 Security Update for Windows Server 2003 (KB900725)
> MS05-053 Security Update for Windows Server 2003 (KB896424)
> MS05-050 Security Update for Windows Server 2003 (KB904706)
> MS05-054 Cumulative Security Update for Internet Explorer for Windows
> Server 2003 (KB905915)
> MS06-001 Security Update for Windows Server 2003 (KB912919)
> MS06-002 Security Update for Windows Server 2003 (KB908519)
> MS06-008 Security Update for Windows Server 2003 (KB911927)
> MS06-009 Security Update for Windows Server 2003 (KB901190)
> MS06-006 Security Update for Windows Media Player Plug-in (KB911564)
> MS06-007 Security Update for Windows Server 2003 (KB913446)
> 890830 Windows Malicious Software Removal Tool - March 2006 (KB890830)
>
> Thanks in advance for your assistance.
>
> "Tariq Azad" wrote:
>
> > Michael-
> >
> > Are there other events like event 6033 or 50? Do you have any other event even related with time syncronization? Is this a first DC in the domain? If this is a second / additional domain controller, then I would suggest you to build a new one, install OS, basic patches, Virus scan, (no service pack), and then see the results...
> >
> > I know that LSASRV has some known issues. Please check the following link to see if it applies in your case.
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
> > http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
> >
> > Regards,
> >
> > Tariq Azad
> > "Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:839A2818-305F-404F-A62D-4D101E6368F5(a)microsoft.com...
> > Tariq:
> >
> > I know that you didn't ask me for this information, but I'm going to post it
> > anyway.
> >
> > Microsoft Windows 2003 SP1 (5.2.3790)
> >
> > All current updates/hotfixes are installed onto the server. This server is
> > configured for DC, DNS, DHCP, File/Print. With a default installation, no
> > tweaks have been applied to this server at this time whereas it is a fresh
> > install.
> >
> > Thanks in advance for your help!
> >
> > "Tariq Azad" wrote:
> >
> > > George-
> > >
> > > Thanks for posting your message here.
> > > Is it a warning or an error? Please provide some more information including:
> > > OS Version
> > > Server Pack Version
> > >
> > > Regards,
> > >
> > > Tariq Azad
> > >
> > > "George" <George(a)discussions.microsoft.com> wrote in message news:0A6F3483-DE66-4D20-886E-D8224EB37954(a)microsoft.com...
> > > I am having same problem followed by the following restart.
> > >
> > > The process winlogon.exe has initiated the restart of computer FS1 on behalf
> > > of user for the following reason: No title for this reason could be found
> > >
> > > Reason Code: 0x50006
> > >
> > > Shutdown Type: restart
> > >
> > > Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
> > > unexpectedly with status code -1073740972. The system will now shut down and
> > > restart.
> > >
> > >
> > > "Michael Easterly" wrote:
> > >
> > > > Source: LSASRV
> > > > Castegory: SPNEGO (Negotiator)
> > > > Event ID: 40968
> > > >
> > > > The Security System has received an authentication request that could not be
> > > > decoded. The request has failed.
> > > >
> > > > I can't find a reference for this Warning anywhere, please help.
> > > >
> > > >
From: Tariq Azad on
Michael:

Please send me the log files at tariq_bin_azad(a)hotmail.com...
Is this a test DC or production DC? Can you install an addition DC on some other machine (in a seperate forest), with no SP1, and tell me the results?

Regards,
Tariq
"Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:ACA7E2C6-23A2-44C2-9382-71E1E17740D2(a)microsoft.com...
Tariq-

The only warning event that is coming up is 40968. The only event that is
being logged for time synchronization is informational;

Source: W32TIME
Event ID: 37
The time provider NtpClient is currently receiving valid time data from
ntp.uiuc.edu (ntp.m|0x1|131.230.210.129:123->130.126.24.24:123).

I set this up according to Article ID : 816042. Configuring the Windows Time
service to use an external time source.

I have also successfully synchronized other hosts to the DC as well.

This is the first DC in domain.

Yes I can reboot the system and send you the log files. Please send
instructions on where to send the information. Thanks!

"Tariq Azad" wrote:

> Michael-
>
> I am just curious if ot is possible for you to reboot the system, and then send me the Application and system log file for further analysis?
>
> Thanks,
>
> Tariq
> "Tariq Azad" <tariq_bin_azad(a)hotmail.com> wrote in message news:XridnVr7xu1I2oXZnZ2dnUVZ_sydnZ2d(a)giganews.com...
> Michael-
>
> Thanks for a prompt reply.
> I didn't get answers of my other questions. Do you have any other event even related with time syncronization? Is this a first DC in the domain? If this is a second / additional domain controller, then I would suggest you to build a new one, install OS, basic patches, Virus scan, (no service pack), and then see the results...
>
> Regards,
>
> Tariq
> "Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:862C950F-6654-4870-BE2D-DEA5703E7670(a)microsoft.com...
> I checked out the articles that you included with your last posting.
>
> The first article does not apply becuase the server is not logging events
> 1015 or 1000 as the article indicates.
>
> The second article doesn't apply either. Whereas SP1 includes 835732,
> (http://www.microsoft.com/technet/security/prodtech/windowsserver2003/sp1...mspx)
>
> I ran the baseline security analyser to see what hotfixes are installed and
> below are the results (Scanned with MBSA version: 2.0.5029.2):
>
> MS05-036 Security Update for Windows Server 2003 (KB901214)
> MS05-039 Security Update for Windows Server 2003 (KB899588)
> MS05-040 Security Update for Windows Server 2003 (KB893756)
> MS05-033 Security Update for Windows Server 2003 (KB896428)
> MS05-027 Security Update for Windows Server 2003 (KB896422)
> MS05-026 Security Update for Windows Server 2003 (KB896358)
> MS05-042 Security Update for Windows Server 2003 (KB899587)
> MS05-032 Security Update for Windows Server 2003 (KB890046)
> MS05-041 Security Update for Windows Server 2003 (KB899591)
> MS05-045 Security Update for Windows Server 2003 (KB905414)
> MS05-051 Security Update for Windows Server 2003 (KB902400)
> MS05-046 Security Update for Windows Server 2003 (KB899589)
> MS05-048 Security Update for Windows Server 2003 (KB901017)
> MS05-049 Security Update for Windows Server 2003 (KB900725)
> MS05-053 Security Update for Windows Server 2003 (KB896424)
> MS05-050 Security Update for Windows Server 2003 (KB904706)
> MS05-054 Cumulative Security Update for Internet Explorer for Windows
> Server 2003 (KB905915)
> MS06-001 Security Update for Windows Server 2003 (KB912919)
> MS06-002 Security Update for Windows Server 2003 (KB908519)
> MS06-008 Security Update for Windows Server 2003 (KB911927)
> MS06-009 Security Update for Windows Server 2003 (KB901190)
> MS06-006 Security Update for Windows Media Player Plug-in (KB911564)
> MS06-007 Security Update for Windows Server 2003 (KB913446)
> 890830 Windows Malicious Software Removal Tool - March 2006 (KB890830)
>
> Thanks in advance for your assistance.
>
> "Tariq Azad" wrote:
>
> > Michael-
> >
> > Are there other events like event 6033 or 50? Do you have any other event even related with time syncronization? Is this a first DC in the domain? If this is a second / additional domain controller, then I would suggest you to build a new one, install OS, basic patches, Virus scan, (no service pack), and then see the results...
> >
> > I know that LSASRV has some known issues. Please check the following link to see if it applies in your case.
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
> > http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
> >
> > Regards,
> >
> > Tariq Azad
> > "Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:839A2818-305F-404F-A62D-4D101E6368F5(a)microsoft.com...
> > Tariq:
> >
> > I know that you didn't ask me for this information, but I'm going to post it
> > anyway.
> >
> > Microsoft Windows 2003 SP1 (5.2.3790)
> >
> > All current updates/hotfixes are installed onto the server. This server is
> > configured for DC, DNS, DHCP, File/Print. With a default installation, no
> > tweaks have been applied to this server at this time whereas it is a fresh
> > install.
> >
> > Thanks in advance for your help!
> >
> > "Tariq Azad" wrote:
> >
> > > George-
> > >
> > > Thanks for posting your message here.
> > > Is it a warning or an error? Please provide some more information including:
> > > OS Version
> > > Server Pack Version
> > >
> > > Regards,
> > >
> > > Tariq Azad
> > >
> > > "George" <George(a)discussions.microsoft.com> wrote in message news:0A6F3483-DE66-4D20-886E-D8224EB37954(a)microsoft.com...
> > > I am having same problem followed by the following restart.
> > >
> > > The process winlogon.exe has initiated the restart of computer FS1 on behalf
> > > of user for the following reason: No title for this reason could be found
> > >
> > > Reason Code: 0x50006
> > >
> > > Shutdown Type: restart
> > >
> > > Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
> > > unexpectedly with status code -1073740972. The system will now shut down and
> > > restart.
> > >
> > >
> > > "Michael Easterly" wrote:
> > >
> > > > Source: LSASRV
> > > > Castegory: SPNEGO (Negotiator)
> > > > Event ID: 40968
> > > >
> > > > The Security System has received an authentication request that could not be
> > > > decoded. The request has failed.
> > > >
> > > > I can't find a reference for this Warning anywhere, please help.
> > > >
> > > >
From: Tariq Azad on
Michael-

Thanks for sending me the log file.

Note 1:
It seems that your domain controller is unable to syncronize with external resource. Why not disable synchronizing with an external resource? I think it is a time service issue, and Kerberos is unable to generate certificate within a time period. I would suggest you to disable NTP client also, and type this command at the command prompt:
net time /set /setsntp:localipaddress
Resolve your Time issues first before moving to any next steps. If the time issue won't resolve the problem then continue the other steps in the order.

Note 2:
Please also check the following article. You are experiencing 40960 (Cause of all problems at reboot) -- 40968 is igenoreable. The real pain is 40960.
http://support.microsoft.com/?id=823712

Note 3:
Also check the DNS settings of local lan card of your DC. Make sure it is point to the local DNS. If possible run netdiag /v and dcdiag /v to resolve an issue. If it would be some DC and Network issue, you will get a detail report

Note 4:
If all of the above won't work, then you may want to add dependencise to the DNS. You may need to make W32Time (Windows Time Service), NtFrs (File Replication Service), and SMTPSVC (Simple Mail Transfer Protocol (SMTP)) dependent upon DNS (DNS Server). See M193888 for details on how to do this.

Note 5:
It is also possible that the Network Service security account does not have sufficient privileges to access the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
To resolve this issue, assign the Network Service account full control access to the mentioned registry subkeys.

Note 6:
The error code in the message to determine the cause of the problem. For example, a STATUS_NO_LOGON_SERVER error code (0xC000005e) indicates that the domain controller was temporarily unavailable". This can also occurs if the FRS tries to authenticate before the directory service has started. See M824217 to troubleshoot this problem. See M891559 for more details on this event.

Note 7:
You may have to make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).

I hope that this will resolve the issue. If not, then please let me know.

Regards,

Tariq Azad



"Tariq Azad" <tariq_bin_azad(a)hotmail.com> wrote in message news:qfudnXYAjMKr0IXZRVn-vQ(a)giganews.com...
Michael:

Please send me the log files at tariq_bin_azad(a)hotmail.com...
Is this a test DC or production DC? Can you install an addition DC on some other machine (in a seperate forest), with no SP1, and tell me the results?

Regards,
Tariq
"Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:ACA7E2C6-23A2-44C2-9382-71E1E17740D2(a)microsoft.com...
Tariq-

The only warning event that is coming up is 40968. The only event that is
being logged for time synchronization is informational;

Source: W32TIME
Event ID: 37
The time provider NtpClient is currently receiving valid time data from
ntp.uiuc.edu (ntp.m|0x1|131.230.210.129:123->130.126.24.24:123).

I set this up according to Article ID : 816042. Configuring the Windows Time
service to use an external time source.

I have also successfully synchronized other hosts to the DC as well.

This is the first DC in domain.

Yes I can reboot the system and send you the log files. Please send
instructions on where to send the information. Thanks!

"Tariq Azad" wrote:

> Michael-
>
> I am just curious if ot is possible for you to reboot the system, and then send me the Application and system log file for further analysis?
>
> Thanks,
>
> Tariq
> "Tariq Azad" <tariq_bin_azad(a)hotmail.com> wrote in message news:XridnVr7xu1I2oXZnZ2dnUVZ_sydnZ2d(a)giganews.com...
> Michael-
>
> Thanks for a prompt reply.
> I didn't get answers of my other questions. Do you have any other event even related with time syncronization? Is this a first DC in the domain? If this is a second / additional domain controller, then I would suggest you to build a new one, install OS, basic patches, Virus scan, (no service pack), and then see the results...
>
> Regards,
>
> Tariq
> "Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:862C950F-6654-4870-BE2D-DEA5703E7670(a)microsoft.com...
> I checked out the articles that you included with your last posting.
>
> The first article does not apply becuase the server is not logging events
> 1015 or 1000 as the article indicates.
>
> The second article doesn't apply either. Whereas SP1 includes 835732,
> (http://www.microsoft.com/technet/security/prodtech/windowsserver2003/sp1...mspx)
>
> I ran the baseline security analyser to see what hotfixes are installed and
> below are the results (Scanned with MBSA version: 2.0.5029.2):
>
> MS05-036 Security Update for Windows Server 2003 (KB901214)
> MS05-039 Security Update for Windows Server 2003 (KB899588)
> MS05-040 Security Update for Windows Server 2003 (KB893756)
> MS05-033 Security Update for Windows Server 2003 (KB896428)
> MS05-027 Security Update for Windows Server 2003 (KB896422)
> MS05-026 Security Update for Windows Server 2003 (KB896358)
> MS05-042 Security Update for Windows Server 2003 (KB899587)
> MS05-032 Security Update for Windows Server 2003 (KB890046)
> MS05-041 Security Update for Windows Server 2003 (KB899591)
> MS05-045 Security Update for Windows Server 2003 (KB905414)
> MS05-051 Security Update for Windows Server 2003 (KB902400)
> MS05-046 Security Update for Windows Server 2003 (KB899589)
> MS05-048 Security Update for Windows Server 2003 (KB901017)
> MS05-049 Security Update for Windows Server 2003 (KB900725)
> MS05-053 Security Update for Windows Server 2003 (KB896424)
> MS05-050 Security Update for Windows Server 2003 (KB904706)
> MS05-054 Cumulative Security Update for Internet Explorer for Windows
> Server 2003 (KB905915)
> MS06-001 Security Update for Windows Server 2003 (KB912919)
> MS06-002 Security Update for Windows Server 2003 (KB908519)
> MS06-008 Security Update for Windows Server 2003 (KB911927)
> MS06-009 Security Update for Windows Server 2003 (KB901190)
> MS06-006 Security Update for Windows Media Player Plug-in (KB911564)
> MS06-007 Security Update for Windows Server 2003 (KB913446)
> 890830 Windows Malicious Software Removal Tool - March 2006 (KB890830)
>
> Thanks in advance for your assistance.
>
> "Tariq Azad" wrote:
>
> > Michael-
> >
> > Are there other events like event 6033 or 50? Do you have any other event even related with time syncronization? Is this a first DC in the domain? If this is a second / additional domain controller, then I would suggest you to build a new one, install OS, basic patches, Virus scan, (no service pack), and then see the results...
> >
> > I know that LSASRV has some known issues. Please check the following link to see if it applies in your case.
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
> > http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
> >
> > Regards,
> >
> > Tariq Azad
> > "Michael Easterly" <MichaelEasterly(a)discussions.microsoft.com> wrote in message news:839A2818-305F-404F-A62D-4D101E6368F5(a)microsoft.com...
> > Tariq:
> >
> > I know that you didn't ask me for this information, but I'm going to post it
> > anyway.
> >
> > Microsoft Windows 2003 SP1 (5.2.3790)
> >
> > All current updates/hotfixes are installed onto the server. This server is
> > configured for DC, DNS, DHCP, File/Print. With a default installation, no
> > tweaks have been applied to this server at this time whereas it is a fresh
> > install.
> >
> > Thanks in advance for your help!
> >
> > "Tariq Azad" wrote:
> >
> > > George-
> > >
> > > Thanks for posting your message here.
> > > Is it a warning or an error? Please provide some more information including:
> > > OS Version
> > > Server Pack Version
> > >
> > > Regards,
> > >
> > > Tariq Azad
> > >
> > > "George" <George(a)discussions.microsoft.com> wrote in message news:0A6F3483-DE66-4D20-886E-D8224EB37954(a)microsoft.com...
> > > I am having same problem followed by the following restart.
> > >
> > > The process winlogon.exe has initiated the restart of computer FS1 on behalf
> > > of user for the following reason: No title for this reason could be found
> > >
> > > Reason Code: 0x50006
> > >
> > > Shutdown Type: restart
> > >
> > > Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
> > > unexpectedly with status code -1073740972. The system will now shut down and
> > > restart.
> > >
> > >
> > > "Michael Easterly" wrote:
> > >
> > > > Source: LSASRV
> > > > Castegory: SPNEGO (Negotiator)
> > > > Event ID: 40968
> > > >
> > > > The Security System has received an authentication request that could not be
> > > > decoded. The request has failed.
> > > >
> > > > I can't find a reference for this Warning anywhere, please help.
> > > >
> > > >
First  |  Prev  | 
Pages: 1 2 3
Prev: Error 333
Next: wbemess.log