# Domain controller in not working



## salim2contact (Jan 24, 2012)

I have installed AD and DC in window server 2008 and in other member server i have installed Additional DC,

Problem is my dns is functioning problem with Intergreted AD but the AD is not functioning, it showing follow event ID below, pls resolve my problem so that my Ad will replicate with the dns and Additional DC.

FIRST

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 1/23/2012 5:05:15 PM
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVER1.SWISSNOBLE.COM
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. 

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. 

For more details and information on how to make this configuration change to the server, please see How to enable LDAP signing in Windows Server 2008. 

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Event Xml:
<Event xmlns="Error">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" />
<EventID Qualifiers="32768">2886</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-01-23T13:05:15.750Z" />
<EventRecordID>134</EventRecordID>
<Correlation />
<Execution ProcessID="596" ThreadID="804" />
<Channel>Directory Service</Channel>
<Computer>SERVER1.SWISSNOBLE.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
</EventData>
</Event>


Second

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 1/23/2012 5:05:26 PM
Event ID: 2087
Task Category: DS RPC Client
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVER1.SWISSNOBLE.COM
Description:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 

Source domain controller: 
SERVER11 
Failing DNS host name: 
4fe4de46-b965-4344-809f-997a0c68d94a._msdcs.SWISSNOBLE.COM 

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1: 

Registry Path: 
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 

User Action: 

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 

2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on Domain Name System (DNS) on Microsoft TechNet 

dcdiag /test:dns 

4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 

dcdiag /test:dns 

5) For further analysis of DNS error failures see KB 824449: 
Troubleshooting Active Directory replication failures that occur because of DNS lookup failures, event ID 2087, or event ID 2088 

Additional Data 
Error value: 
11001 No such host is known. 

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" />
<EventID Qualifiers="49152">2087</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>22</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-01-23T13:05:26.468Z" />
<EventRecordID>136</EventRecordID>
<Correlation />
<Execution ProcessID="596" ThreadID="812" />
<Channel>Directory Service</Channel>
<Computer>SERVER1.SWISSNOBLE.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>SERVER11</Data>
<Data>4fe4de46-b965-4344-809f-997a0c68d94a._msdcs.SWISSNOBLE.COM</Data>
<Data>11001</Data>
<Data>No such host is known.</Data>
<Data>System\CurrentControlSet\Services\NTDS\Diagnostics</Data>
<Data>22 DS RPC Client</Data>
</EventData>
</Event>


Third

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 1/23/2012 5:10:18 PM
Event ID: 1308
Task Category: Knowledge Consistency Checker
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVER1.SWISSNOBLE.COM
Description:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed. 

Attempts:
2 
Directory service:
CN=NTDS Settings,CN=SERVER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SWISSNOBLE,DC=COM 
Period of time (minutes):
1486 

The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed. 

Additional Data 
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" />
<EventID Qualifiers="32768">1308</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-01-23T13:10:18.902Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="596" ThreadID="1472" />
<Channel>Directory Service</Channel>
<Computer>SERVER1.SWISSNOBLE.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>2</Data>
<Data>CN=NTDS Settings,CN=SERVER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SWISSNOBLE,DC=COM</Data>
<Data>1486</Data>
<Data>The DSA operation is unable to proceed because of a DNS lookup failure.</Data>
<Data>8524</Data>
</EventData>
</Event>


----------



## Wand3r3r (Sep 17, 2010)

lets see a ipconfig /all from the servers
also do a nslookup server1 and post those results


----------



## salim2contact (Jan 24, 2012)

So i have done ipconfig / all, it show the domain controller,

and also nslookup, it show the domain name and his ip address,


----------



## Wand3r3r (Sep 17, 2010)

You looking at them accomplishes very little.
Me looking at them and its another story which is why I asked you to post them


----------

