Re: Cannot find domain controller

ACE!!
An anonymous entry in eventid.net??
C'mon!!!
The original DNS RFCs do not even mention reverse lookup zones!
Kerberos uses DNS to resolve host names to IP, yes. But that is a forward
lookup activity.
Nowhere in the Kerberos protocol does it mention reverse lookups!
Also, the registration of SPNs or the reciept of a Ticket by a client for a
service registered on a DC does not require revese lookups set.
Try it out and see for yourself.
If you look at the KB atricle for configuring DNS, you'll see Reverse zones
are optional! See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

If you can find a bona fide reference, we'll have a place to start from.


Regards,


Austin

"Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx> wrote in message
news:OMG8Kk7IIHA.3356@xxxxxxxxxxxxxxxxxxxxxxx
In news:FgVYi.7397$9h.5160@xxxxxxxxxxxxxxxxxxxxxx,
Austin Osuide <austin@xxxxxxxxxxx> typed:
Hi Ace,
For my edification and that of others, can you explain what you mean
by: " The SPN record for the domain controlller is used by the SPNEgo
and is based on the PTR for the DC" ?
Any pointer to where SPENEGO is dependent on PTR records?
SPNEGO is AFAIK, a (usually HTTP) Client/Server AUTHENTICATION
NEGOTIATION Mechanism (i.e. what do you talk? NTLM or Kerberos).
Even this KB says nothing of PTR records:
http://support.microsoft.com/kb/824217


Regards,


Austin

It's all about Kerberos. That article does not have enough info in it to
help you, nor does http://support.microsoft.com/kb/823712. If you search
back in these groups for 40960, 40961, SPNEGO, and/or LsaSrv you will find
posts that discuss it and the fix, being that to fix an SPNEGO error, it
needs a reverse zone wtih a PTR for the DC. Kerberos is purely DNS based.
Kerberos uses the FQDN to identify itself as well as to confirm with the
PTR, hence it's "ego." NTLM is not a factor here since Kerberos is what's
being used. Also HTTP has nothing to do with AD authentication. I
understand there are other uses for the SPN, but Kerberos is the key thing
with this issue.

See if this helps you out:
http://eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1

I hope that helps.

Ace




.

Relevant Pages

  • Re: Standard mechanisms to manage domain->realm mappings in multi-domain infrastructure
    ... DNS TXT records used to link a DNS domain to Realm via ... Kerberos Server referrals ... KDC returns referrals to client when request made to local environment ... Still an IETF draft ...
    (comp.protocols.kerberos)
  • Re: Kerberos Issue
    ... the Kerberos Key for the PDC System Account was ... Kerberos through the System Account, ... zones off Active Directory), DHCP (Unable to communicate with DNS), CertSrv ... > as preferred dns servers and make sure that there are no ISP dns servers in ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos Issue
    ... the Kerberos Key for the PDC System Account was ... > Kerberos through the System Account, ... > zones off Active Directory), DHCP (Unable to communicate with DNS), ... >> as preferred dns servers and make sure that there are no ISP dns servers ...
    (microsoft.public.windows.server.security)
  • Re: KRB_AP_ERR_MODIFIED Error on Windows2003 Server
    ... DNS problems can cause this error as well. ... attempting to contact systema so the Kerberos Key Distribution Center ... encrypts the service ticket with systema's password but poor DNS causes the ... KRB_AP_ERR_MODIFIED Error on Windows2003 Server ...
    (microsoft.public.windows.server.general)
  • Re: Cannot find domain controller
    ... Can't be SPNEGO 'cause that stands for Simple and Protected GSSAPI ... The original DNS RFCs do not even mention reverse lookup zones! ... Kerberos uses DNS to resolve host names to IP, ... and is based on the PTR for the DC"? ...
    (microsoft.public.windows.server.active_directory)
Loading