Windows event id 40960 lsasrv
See below link for possible cause.
Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
Did you configure the new 2008R2 PDC role owner as an Athorative time server?
The PDC role owner in forest root domain should be configured as an Authorative Time Server other DCs should sync with PDC and domain members should sync with DCs.
See the below article to understand and configure the Windows Time Service for Windows Server.
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
I ran the Fix-It on the PDC emulator but the warnings still remain. The DNS settings are set correctly as well. I do have IPv6 disabled on both DCs, but I am not running IPv6 on my domain.
Are these warnings something that can safely be ignored, or are there other problems I should look for? It seems that there is a dependency not starting, but I cannot track it down.
You shouldn’t disable IPv6. It’s part of the OS, and it has nothing to do with this error.
The Cable Guy — Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
Quoted by Joseph Davies, MSFT:
«IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. «Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.»
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
DNS Server service randomly cannot resolve external names and returns a «Server Failure» error if IPv6 is disabled in Windows Server 2008 R2
Quoted: «If IPv6 is disabled on your server, root hints resolution will not work.»
http://support.microsoft.com/kb/2549656
As for the 40960 error:
- Is «DC1» as you originally posted as holding all FSMO roles, the 2008 DC or the 2008 R2 DC?
- Were the new DCs built from scratch, or from an image?
- Do you have a reverse zone created for your subnet, and if so, is there a PTR entry for each DC?
To help further diagnose this, let’s see an unedited ipconfg /all from all four DCs and stating which operating system version each one is, please.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Don’t disable IPv6, let it be default as many of the services utilize in the newer OS like Direct access, exchange 2010 etc.Windows 2008 R2/7 uses IPv6 and it should be configured to dynamic (Automatically) as below.
Ensure the following dns setting on DC:
1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
2. Each DC has just one IP address and single network adapter is enabled.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
4. Once you are done, run «ipconfig /flushdns & ipconfig /registerdns», restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.
Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
Agree with others, Do not disable IPv6. In IPv6 properties, set it to «obtain ip address automatically» and «obtain dns server address automatically«.
Istead of running Fix-It on the PDC emulator, I would suggest to run following commands on PDC role owner DC to configure at as an Authorative Time Server.
> On the PDC role owner DC:
W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update
net stop w32time & net start w32time & W32tm /resync /rediscover
> On each domain member to automatic domain time synchronization:
w32tm /config /syncfromflags:domhier /update
net stop w32time & net start w32time & W32tm /resync /rediscover
Once done with above and still facing issue post dcdiag /q result and Time service error events.
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here .
TechNet Community Support
I have not rebooted the DC this week. I plan on powering down this weekend. I am going to attempt to enable ipv6 and see how that works.
For the 40960 Error:
1. DC1 does hold all FSMO roles, it is 2008 R2. We no longer have 2008 DCs.
2. The DCs were cloned from a Virtual Machine in vSphere. SIDs were re-created upon deployment.
3. There is a reverse zone and a correct PTR entry for each DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : FCDC1
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-89-03-5A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.3
192.168.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Windows IP Configuration
Host Name . . . . . . . . . . . . : FCDC2
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-89-03-5C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.2
192.168.0.3
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Windows event id 40960 lsasrv
· Impending expiration of a TGT.
Resolution
Confirm the cause by verifying the expiration time on the TGT. To do this, use the Kerberos List parameter tgt . If you confirm that this is the cause, you need do nothing more, because the TGT will be automatically renewed or a new one will be requested if needed. For example, Windows XP and Windows Server 2003 will recover from this automatically.
· The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list.
Resolution
1. Use Network Monitor to determine the SPN to which the client is attempting to delegate credentials. You will need this information in a later step.
2. Click Start , click Run , and then open Active Directory Users and Computers by typing the following:
dsa.msc
3. Right-click the user or service account that has problems authenticating, and then click Properties .
4. Click the Delegation tab.
5. The Allowed-to-delegate-to list is the list of servers shown under the heading, Services to which this account can present delegated credentials .
6. Add the SPN the client is attempting to delegate to (information from the captured data you obtained in Step 1) to the Allowed-to-delegate-to list for that client. This will tell the KDC that this client is indeed allowed to authenticate to this service. The KDC will then grant the client the appropriate ticket.
Мнения, высказанные здесь, являются отражением моих личных взглядов, а не позиции корпорации Microsoft. Вся информация предоставляется «как есть» без каких-либо гарантий 
Windows event id 40960 lsasrv
The following forum(s) have migrated to Microsoft Q&A: All English Windows Server forums!
Visit Microsoft Q&A to post new questions.
Answered by:
Question
The security system detected an authentication error for the server DNS/ns1.pldt. The failure code from authentication protocol Kebros was «there are currently no logon servers available to service logon request (0xc000005e).
then after 5 messages of the same LSASRV 40960 my server will shutdown.
i don’t see any solid solutions with those links regarding 40960.
need help. im using Windows server 2003, workgroup, mail server.
Answers
According to my search, the following troubleshooting suggestions can be tried:
Suggestion 1: Verify if the KDC, Netlogon and the RPCLocator services are started.
Suggestion 2: Temporarily disable or uninstall the antivirus program and firewall to test the issue.
Suggestion 3: Update the network card driver.
Suggestion 4: Modify the following registry:
Value Name: MaxConcurrentApi
Data Type: REG_DWORD
Value: between 0 and 10
For more troubleshooting information, please also refer to the following Microsoft KB articles:
Event IDs 40960 and 40961 in the System Event Log When You Restart Windows Server 2003 After You Run Dcpromo.exe
Event ID 5719 is logged when you start a computer
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
All replies
1. Will you reveal the history of this error? Does this error appear at restart or after some time (randomly)?
2. What is this DNS/ns1.pldt
3. What type of DNS are you using, the native one or BIND?
4. How do you synchronize time?
5. Is this private DNS or public one? Do you enable the protection against cache poisoning?
PS: I have had this error in W2K3 domain after restart and it has been known problem with no harmful impact.