Tuesday, September 23, 2008


Following an issue with time synchronisation resulting from a customer accidentally forwarding time by 3 months on a production Domain Controller, the following events were being logged even after the time was correctly synchronised across all domains in the forest.

Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
The Security System detected an authentication error for the server DNS/DC.domainname.rootdomainname.local. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount.

These authentication related errors were being logged as a side effect of attempts to register records in DNS, update group policy and so on. The error could be generated by a ipconfig /registerdns or GPUpdate /force

A DC in the root domain had an atomic clock attached to it but was NOT the PDCe for the root domain.

The time synchronisation settings were set so that all DCs in the forest were obtaining time from the DC with the atomic clock.

So this was not as per Microsoft best practice. Therefore we rearranged things to bring them into line with best practice organising the hierarchy as default.

While the servers time was in sync, we obtained the following information which eventually resolved the errors :
w32tm /config /update
w32tm /resync

Restart the machine.

If the issue persists. Verify the time zone settings on the client and the
domain controller.

Finally run the following command on the client:

net time \\ /set /yes

A combination of one or more of the above finally resolved these errors.

Keywords : LSASRV SPNEGO EventID 40960 time synchronization synchronisation

No comments: