This was an interesting problem I was discussing with a customer today. The customer had a concerning looking error appearing periodically in the event log:
Event ID: 40961
Symbolic Name: NEGOTIATE_INVALID_SERVER
Message: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available
The concerning part to this is the word "prisoner" which may set alarm bells ringing initially in some peoples minds. As it happens, this is perfectly legitimate, just the name of a DNS server run by iana.org.
After some diagnosis and looking up, I found a few articles on the Internet which relate to this problem, and found the root cause. prisoner.iana.org has a 192.x.x.x IP address. This is a big clue as it's one of the non-routable reserved address spaces commonly used in smaller organisations. The customers internal address space turned out to be 192.168.x.x. The cause of the error was simply that there was no reverse lookup zone configured on their internal DNS server.
Remember, a quick check from a client by running "nslookup" from a command prompt and seeing a timeout error also will point immediately to a reverse DNS lookup zone missing problem.
Once the zone has been created, it may be worth doing the following on your DCs (if you can't afford a reboot and have a small environment):
- ipconfig /registerdns
- net stop netlogon followed immediately by net start netlogon