Re: Cannot find domain controller

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Nice of you to tell us again Jorge :-)
If you want to contribute to the debate, it was about "the importance/use of PTR records in Kerberos communications".
My comment on that was that it's not required unless you have specific application requirements.
As a fix for the 40960 and 40961 errors, registration of PTR records should be the last thing you suggest UNLESS the event also includes a mention of an attempt at registering on prisoner.iana.org WHICH WAS NOT THE CASE HERE (and you can explain why that event id would occur if a dynamic update is carried out on a server that doesn't trust you) .

A 40960 error is a generic error which means "I have tried to talk to you using our agreed protocol of Kerberos (the negotiation component) and authentication has failed". That's all that event id means and it can be generated by a myriad of causes as eventid.net shows.

I hope you'll see the salient points here.

Regards,

Austin


"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:uK0dKxrKIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
The answers likely to be no, because you don't want to see the light...
Problem:
By default the client tries to register the PTR, if you don't have a Reverselookup zone created the DNS will try to register those PTR in other DNS that knows about that IP range, as a sequence of that action and because you can't do registrations on those DNS servers a error is logged.
Solution:
Create a Reverse Lookup Zone.
If you don't want to ahve a Reverse Zone, configure the clients not to register the PTR records, via GPO, registry, whatever... As long as the clients is not trying to do that no error will be logged.
DONE!!!
--
===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:B662CE9A-07E3-4373-81B3-6ABB52B7876B@xxxxxxxxxxxxxxxx
OK guys,
Can you point to any MS KB that confirms this?
Or any MS document at all? The answers probably no. Ace, I'm sure, has scoured the web for this and if he'd found anything, he'd have posted it.
All I'm saying is what you've observerved has no logical explanation wrt Kerberos or obtaining a ticket for a service. You dont need PTRs for that.
There is actually a GPO setting to disable the registration of PTR records because you can work fine without them ( Jorge, I don't know of any LOB app that requires this and I also work in multi-platform envs.) and you can find it at: Computer Config\Admin Temp\Network\DNS Client\Register PTR Records. Set the property to Disabled and you're done.

Ace, with regard to KB 259922, the second fix is to disable reverse lookups. Would it be a suggested fix if it broke stuff? I like to have a logical reason for things I do and not just because "we've always done it that way".
The Logic for why you must register PTR records is whats missing here. the KB even says disabling the registration of PTR records reduces unnessary network traffic!
You can register them yes. but do you need them? answers likely to be no.

Regards,

Austin





"Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx> wrote in message news:uA$vDTbKIHA.4808@xxxxxxxxxxxxxxxxxxxxxxx
In news:%23IbjuIOKIHA.3672@xxxxxxxxxxxxxxxxxxxx,
Jorge Silva <jorgesilva_pt@xxxxxxxxxxx> typed:
Hi Ace,
If I recall correctly cleaning the Roothints also solves the problem
(not 100% sure)
Of course the most logical and fast way to solve this is to create the
Reverse lookup zone.

And you know, I still agree with that. Create the reverse zone and make sure a PTR exists, and the error will go away, no matter what.







.

Relevant Pages

  • Re: Cannot find domain controller
    ... In this case the poster, now long gone :-), said he had reverse zones setup ... of PTR records in Kerberos communications". ... By default the client tries to register the PTR, ... If you don't want to ahve a Reverse Zone, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot find domain controller
    ... In this case the poster, now long gone :-), said he had reverse zones ... importance/use of PTR records in Kerberos communications". ... By default the client tries to register the PTR, ... Create a Reverse Lookup Zone. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot find domain controller
    ... did the event details mention an attempt to register at ... we've had no indication that PTR records were not being ... Lookup Zone ... I wouldn't go by disabling reverse registration as the article ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS Issue with 2003 Server
    ... I get a messaga indicating Exchange server is not available. ... secure connection to your ISP's DNS to register PTR records in their DNS. ...
    (microsoft.public.windows.server.dns)
  • Re: Cannot find domain controller
    ... the Reverse Lookup Zone, creating a reverse lokup zone should fix it. ... of PTR records in Kerberos communications". ... By default the client tries to register the PTR, ...
    (microsoft.public.windows.server.active_directory)