LSASRV Event 40960 and Failure Audit Event 673 since Feb 2007

[Guest Drew Govnyak]

We are in the single forest native 2003 domain. 2 Domain Controllers 30

member servers. All 2003 Servers (members and dcs) have SP2 applied. Network

has been up for the past 5 years. Since Feb 20th of this year. All of the

2003 member servers started Logging Warning Event ID: 40960 from LSASRV at

random days and times, but not frequently. The message logged is deceiving,

it talks about time being different on one of the servers. (See below) The

max time difference on my servers is 0.005ms (obtained form w32time

/monitor), all servers except the PDC Emulator are configured to use Nt5DS

under

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\

key. I also found a Security Event ID 673 logged within 1 second of the

Warning on the DC to which member server, logging Event 40960 authenticated

to.

 

My suspicion is KB931836 DST 2007 which was installed on Feb 20 of this year

started this problem, but I am not 100% sure yet.

 

 

 

Is anybody else having the same problem?

 

 

 

Event ID: 40960

 

The Security System detected an authentication error for the server

cifs/dc1.ourdomain.local. The failure code from authentication protocol

Kerberos was "The time at the Primary Domain Controller is different than

the time at the Backup Domain Controller or member server by too large an

amount. (0xc0000133)".

 

 

 

Event ID: 673

 

Service Ticket Request:

 

User Name:

SERVERNAME$@MYDOMAIN.LOCAL

 

User Domain: MYDOMAIN.LOCAL

 

Service Name:

cifs/dc1.mydomain.local

 

Service ID: -

 

Ticket Options: 0x40810000

 

Ticket Encryption Type: -

 

Client Address: 172.16.8.26

 

Failure Code: 0xB

 

Logon GUID: -

 

Transited Services: -

[Guest Coraleigh Miller]

Re: LSASRV Event 40960 and Failure Audit Event 673 since Feb 2007

 

Hi Drew,

 

When you NET TIME/QUERYSNTP on your PDC Emulator do you get the correct

timesource, its not pointing back to itself or setup with Nt5DS is it?

Also..sorry have to ask, your time is only 0.005ms different but is the day

month and year correct? :-) although if that were the case, im sure you

would be having much larger issues, with your workstations and member

servers not being able to share resources with your PDC. Are you having any

network problems or are these log files currently the only sign of a

possible issue?

 

This TechNet article refers to the error 673 on your pdc...

http://support.microsoft.com/kb/824905

 

Coraleigh Miller

 

 

"Drew Govnyak" <drew@myemail.com> wrote in message

news:%23ymIbmwyHHA.1176@TK2MSFTNGP05.phx.gbl...

> We are in the single forest native 2003 domain. 2 Domain Controllers 30

> member servers. All 2003 Servers (members and dcs) have SP2 applied.

> Network has been up for the past 5 years. Since Feb 20th of this year. All

> of the 2003 member servers started Logging Warning Event ID: 40960 from

> LSASRV at random days and times, but not frequently. The message logged

> is deceiving, it talks about time being different on one of the servers.

> (See below) The max time difference on my servers is 0.005ms (obtained

> form w32time /monitor), all servers except the PDC Emulator are configured

> to use Nt5DS under

>

> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\

> key. I also found a Security Event ID 673 logged within 1 second of the

> Warning on the DC to which member server, logging Event 40960

> authenticated to.

>

> My suspicion is KB931836 DST 2007 which was installed on Feb 20 of this

> year started this problem, but I am not 100% sure yet.

>

>

>

> Is anybody else having the same problem?

>

>

>

> Event ID: 40960

>

> The Security System detected an authentication error for the server

> cifs/dc1.ourdomain.local. The failure code from authentication protocol

> Kerberos was "The time at the Primary Domain Controller is different than

> the time at the Backup Domain Controller or member server by too large an

> amount. (0xc0000133)".

>

>

>

> Event ID: 673

>

> Service Ticket Request:

>

> User Name: SERVERNAME$@MYDOMAIN.LOCAL

>

> User Domain: MYDOMAIN.LOCAL

>

> Service Name: cifs/dc1.mydomain.local

>

> Service ID: -

>

> Ticket Options: 0x40810000

>

> Ticket Encryption Type: -

>

> Client Address: 172.16.8.26

>

> Failure Code: 0xB

>

> Logon GUID: -

>

> Transited Services: -

>

>

>

>

>

>

>

>