Reverse Lookup Zones and Event ID 40961

Reverse DNS records, aka PTR records, are used when you have an IP address you need to resolve to a name. While it is not 100% necessary to create a reverse lookup zone in your Active Directory domain this is a popular error.

Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40961 Date: 1/1/2005 Time: 12:30:45PM User: N/A Computer: COMPUTERNAME Description: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.

So what is prisoner.iana.org? Well its a blackhole of sorts. RFC 1918 defines three zones called 10.in-addr.arpa, 16.172.in-addr.arpa, and 168.192.in-addr.arpa on three DNS servers called blackhole-1.iana.org, blackhole-2.iana.org and prisoner.iana.org containing these zones. When a client updates its DNS PTR record it will update the reverse lookup zone xxx.xxx.in-addr.arpa. If you have a reverse lookup zone configured, it will be successful. However if you do not have a reverse lookup zone, thanks to RFC 1918, it will try to register itself with prisoner.iana.org (or one of the other blackhole servers) and fail.

To resolve this issue create a reverse lookup zone. It is ok to ignore this warning but best practice would be to configure a reverse lookup zone.