Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or authentication errors

In Windows Vista or later, you receive the following error message when you try to use Remote Desktop Connection to connect to another Windows Vista-based or later computer. Or, on a computer that is running Windows Vista or later together with Hyper-V RSAT tools, you may receive the following error when you use VMConnect or Remote Desktop Connection to connect to a Hyper-V guest computer:And you receive the following error message when you use the System Center Virtual Machine Manager Admin Console to connect to a Hyper-V virtual machine:A similar class of problem can happen when you have an application communicating between Windows Vista or later computers using DCOM. The application may encounter an error like:


These problems occur if the following conditions are true:

• You try to connect by using a fully qualified domain name (FQDN) or a NetBIOS name.
• Both computers are in a Windows Server 2003-based domain.
• You have performed an authoritative restoration on the Users container in the Active Directory directory service.

If Windows Server 2008 domain controllers exist in the domain, Active Directory replication and Group Policy refresh may fail. Additionally, you may receive the following event log messages:

Log Name: System
Source: LsaSrv
Date: Date
Event ID: 40961
Task Category: (3)
Level: Warning
User: N/A
Computer: ComputerName
Description: The Security System could not establish a secured connection with the server ServerName. No authentication protocol was available.

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: Date
Event ID: 1006
Task Category: None
Level: Error
User: SYSTEM
Computer: ComputerName
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: Date
Event ID: 1055
Task Category: None
Level: Error
User: SYSTEM
Computer: ComputerName
Description: The processing of Group Policy failed. Windows could not resolve the computer name.

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: Date
Event ID: 1925
Task Category: Knowledge Consistency Checker
Level: Warning
User: ANONYMOUS LOGON
Computer: ComputerName
Description:
The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
CN=Schema,CN=Configuration,DC=Namespace,DC=Namespace
Source directory service:
CN=NTDS Settings,CN=DomainController,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=Namespace,DC=Namespace
Source directory service address:
Address

This directory service will be unable to replicate with the source directory service until this problem is corrected.
Error value:
1396 Logon Failure: The target account name is incorrect.

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: Date
Event ID: 1645
Task Category: DS RPC Client
Level: Error
User: ANONYMOUS LOGON
Computer: ComputerName
Description: Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

WMI: Namespaces from a remote computer cannot be listed. You may encounter this situation when you use wmimgmt.msc to "connect to remote computer" and you select Properties and then Security. "Root" will not expand to show available namespaces.

When you use Hyper-V Remote Management, the Hyper-V management console stops responding when you try to create a fixed-size virtual hard drive (VHD) on a remote Hyper-V server.

Note These problems do not occur if one of the following conditions is true:

• You connect by using the IP address of the remote computer and by using a local user account on the remote computer.
• You connect from a Windows XP-based computer to a Windows Vista-based computer.
• You connect from a Windows Vista-based computer to a Windows XP-based computer.

These problems occur because the version number of the KRBTGT account increases when you perform an authoritative restoration. The KRBTGT account is a service account that is used by the Kerberos Key Distribution Center (KDC) service.

To resolve this problem, apply this hotfix to all the Windows Server 2003-based domain controllers in the domain. This hotfix prevents the problem before you perform an authoritative restoration. This hotfix also fixes the problem when you have already performed an authoritative restoration.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 2 installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 2, x86-based versions

Windows Server 2003 with Service Pack 2, x64-based versions

Windows Server 2003 with Service Pack 2, Itanium-based versions

To work around this problem, disable the new Remote Desktop Protocol (RDP) authentication functionality that Windows Vista provides. To do this, follow these steps:

1. Click Start, type mstsc.exe in the Start Search box, and then press ENTER.
2. Click Options.
3. On the General tab, click Save As.
4. In the Save As dialog box, specify a location and a name for the file, and then click OK.
   
   Note The saved file will have the .rdp file name extension.
5. Click Start, type notepad in the Start Search box, and then press ENTER.
6. In Notepad, open the file that you saved in step 4.
7. Locate the line that resembles the following:

   authentication level:i:x

   Note The x placeholder represents the current authentication level.
8. Change the authentication level to 0 so that the line becomes the following:

   authentication level:i:0

   Note When you set the authentication level to 0, RDP 6.0 does not check for server authentication.
9. Add the following line to the end of the file:

   enablecredsspsupport:i:0

   Note When this line is present, users do not have to enter credentials before they establish a remote desktop connection.
10. Save the file.
11. To connect by using Remote Desktop Connection, run the file that you saved in step 10.

Note After you follow these steps, RDP 6.0 becomes incompatible with Windows Vista-based computers that have the Allow connections only from computers running Remote Desktop with Network Level Authentication option enabled in the system properties.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

You need to deploy this hotfix to all Windows Server 2003 domain controller in the domains where the users container was restored.

This hotfix package also resolves the following issues :��

• Hyper-V VM connection issue as described in KB961723. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  961723 Connection to a Virtual Machine running in Hyper-V fails
• Hyper-V Remote Management: Hyper-V Manager UI hangs when it tries to create a fixed-size VHD on a remote Hype-V Server.
• The Root folder in the Security tab cannot be expanded to show available namespaces after you use the Wmimgmt.msc tool to connect to a remote computer.
• Offer Remote Assistance fails between Windows 7 computers, and you receive the following error in System Log:
  DCOM got error "%2147746132" from the computer COMPUTERNAME when attempting to activate the server: {833E4010-AFF7-4AC3-AAC2-9F24C1457BCE}
• When you use�System Center Virtual Machine Manager 2012 Service Pack 1 in an environment that has domain controllers running Windows Server 2003, you may see the following error in Data Protection Manager when Hyper-V hosts are refreshed:
  cs(3148) 0x00000000 Retrieving underlying WMI error to throw. Got string "<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="1311" Machine="VMM.CONTOSO.COM"><f:Message>There are currently no logon servers available to service the logon request. </f:Message></f:WSManFault>" {00000000-0000-0000-0000-000000000000}
  66 02:49:53.843 08-27-2013 0x0950 0x115C WsmanAPIWrapper.cs(3148) 0x00000000 System.Runtime.InteropServices.COMException (0x8007051F): There are currently no logon servers available to service the logon request.
  ...
  67 02:49:53.846 08-27-2013 0x0950 0x115C VmRefresher.cs(200) 0x00000000 This is a transient wsman exception and we will ignore it. Host SERVER1.CONTOSO.COM {00000000-0000-0000-0000-000000000000}
  68 02:49:53.848 08-27-2013 0x0950 0x115C VmRefresher.cs(200) 0x00000000 Microsoft.Carmine.WSManWrappers.WSManProviderException: VMM is unable to complete the requested operation because there are no logon servers available.
  Ensure that the domain controller is up and running and that you have access to it. ---> System.Runtime.InteropServices.COMException: There are currently no logon servers available to service the logon request.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: