[Blood]

Hi, folks

I am seeing 1000's of entries in the Directory Services Log on our W2k8 Standard Edition SP2 domain controller - comprising the following:

Code:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:29:48
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Phobos.htlincs.local
Description:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Dfs-Configuration,CN=System,DC=htlincs,DC=local'


Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:29:48
Event ID:      2041
Task Category: Internal Processing
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Phobos.htlincs.local
Description:
Duplicate event log entries were suppressed. 
 
See the previous event log entry for details. An entry is considered a duplicate if the event code and all of its insertion parameters are identical. The time period for this run of duplicates is from the time of the previous event to the time of this event. 
 
Event Code:
400005ff 
Number of duplicate entries: 
1

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:29:08
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          HTLINCS\user1
Computer:      Phobos.htlincs.local
Description:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=System,DC=htlincs,DC=local'



Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:29:48
Event ID:      2041
...

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:28:47
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Phobos.htlincs.local
Description:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Dfs-Configuration,CN=System,DC=htlincs,DC=local'



Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:28:27
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          HTLINCS\USER2$
Computer:      Phobos.htlincs.local
Description:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          27/04/2012 14:27:41
Event ID:      1535
Task Category: LDAP Interface
Level:         Information
Keywords:      Classic
User:          HTLINCS\user3
Computer:      Phobos.htlincs.local
Description:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=System,DC=htlincs,DC=local'

They are quite frequent. Several are being logged each minute for computers and different users. As you can see http://img846.imageshack.us/img846/6321/dsldapprob.jpg these are 'Information' events, but their frequency and content have me concerned. I've search the web for some info but can't find anything that is relevant to this when using the error values. I see a lot of references to Exchange issues but we have never used Exchange.

The domain, which is a single site on a single subnet with another DC running W2k3 R2 SP2 seems to be working fine. No problems. Apart from this, there are no problems in the logs.

Anyone have any suggestions?

dcdiag from Phobos which reports some errors (we don't have a RODC, nor do we plan to use one):

Code:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Phobos

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\PHOBOS

      Starting test: Connectivity

         ......................... PHOBOS passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\PHOBOS

      Starting test: Advertising

         ......................... PHOBOS passed test Advertising

      Starting test: FrsEvent

         ......................... PHOBOS passed test FrsEvent

      Starting test: DFSREvent

         ......................... PHOBOS passed test DFSREvent

      Starting test: SysVolCheck

         ......................... PHOBOS passed test SysVolCheck

      Starting test: KccEvent

         ......................... PHOBOS passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... PHOBOS passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... PHOBOS passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=htlincs,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=htlincs,DC=local
         ......................... PHOBOS failed test NCSecDesc

      Starting test: NetLogons

         ......................... PHOBOS passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... PHOBOS passed test ObjectsReplicated

      Starting test: Replications

         ......................... PHOBOS passed test Replications

      Starting test: RidManager

         ......................... PHOBOS passed test RidManager

      Starting test: Services

         ......................... PHOBOS passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x0000C35F

            Time Generated: 04/27/2012   14:00:09

            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = System) could not be retrieved, error

            0x3afc)

         An Warning Event occurred.  EventID: 0x0000C35F

            Time Generated: 04/27/2012   14:26:59

            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = System) could not be retrieved, error

            0x3afc)

         An Warning Event occurred.  EventID: 0x0000C35F

            Time Generated: 04/27/2012   14:40:09

            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = System) could not be retrieved, error

            0x3afc)

         ......................... PHOBOS passed test SystemLog

      Starting test: VerifyReferences

         ......................... PHOBOS passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : htlincs

      Starting test: CheckSDRefDom

         ......................... htlincs passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... htlincs passed test CrossRefValidation

   
   Running enterprise tests on : htlincs.local

      Starting test: LocatorCheck

         ......................... htlincs.local passed test LocatorCheck

      Starting test: Intersite

         ......................... htlincs.local passed test Intersite

[RicklesP]

Your DCDiag results point out what looks like a permissions issue, under the NCSecDesc test. The Enterprise DC doesn't have expected access rights to the named zones in DNS. That could easily mean needed AD/LDAP entries aren't being added to the zones, and so you get the Directory Services errors.

The types of errors from your event logs would seem to bear that out, with 'No Object', Insufficient access rights', etc. as NameErr: and SecErr: (security error).

What functional level is your domain running at? How are your FSMO roles assigned?

Worst case, you may have to demote this DC back to a member server so that the single 2003 DC holds all roles, clear out the metadata using ntdsutil, ensure you're running the domain at the 2003 functional level, then re-add the 2008 server as a second DC, being sure to follow MS guidance when you do. Check out this Technet blog with links to support articles:

http://social.technet.microsoft.com/...-ff0effa2c662/

[Blood]

Many thanks for replying.

I was wondering about the dcdiag results and had checked that, but according to Microsoft if a RODC has not been set up then the failure notice can be ignored

http://support.microsoft.com/kb/967482

The domain functional level is 2003 and all FSMO roles are held by the 2008 DC, Phobos.

I am really reluctant to demote the server because as well as DNS it also runs DHCP, DFS, WSUS and hosts our central installation of Sophos, as well as being the point at which VPN connections are authenticated via NPS.

I have run dcdiag's DNS test on the server. It reports that it cannot find the IPV6 AAAA record but I assume this is because IPV6 is disabled in the network adaptor

Code:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Phobos

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\PHOBOS

      Starting test: Connectivity

         ......................... PHOBOS passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\PHOBOS

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... PHOBOS passed test DNS

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : htlincs

   
   Running enterprise tests on : htlincs.local

      Starting test: DNS

         Test results for domain controllers:

            
            DC: Phobos.htlincs.local

            Domain: htlincs.local

            

                  
               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found
                  
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000006] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client):

                  

                     Warning: 
                     Missing AAAA record at DNS server 192.168.0.10: 
                     Phobos.htlincs.local
                     
                     Warning: 
                     Missing AAAA record at DNS server 192.168.0.10: 
                     gc._msdcs.htlincs.local
                     
               Warning: Record Registrations not found in some network adapters

         
               Phobos                       PASS WARN PASS PASS PASS WARN n/a  
         ......................... htlincs.local passed test DNS

[RicklesP]

Assuming your domain started with the Srvr 2003 device, was adprep run from the 2008 disc prior to adding the 2008 server? If not, then I'd have to say my previous answer may still be needed.

Reading info found at: http://www.anitkb.com/2010/03/prepar...directory.html, it may be appropriate to run the cmd line for the RODC install, even if you're not going to have one. But whether that can safely be run after the 2008 server has been added as a DC and taken over all FSMO roles, I have no idea.

BTW: wouldn't it be better to have the Forest-specific roles on the 2008 DC, and the domain-specific roles on the 2003 DC? Also copy the global catalog to both, in case one fails. It may even help with your situation, but I wouldn't bet on it.

[Virtual]

The report of failed test NCSecDesc means you haven't run the adprep /rodcprep switch. If you are not going to have an RODC, you are ok to leave it as it is.

Have you run the DCDIAG on the 2008 DC as an administrator by ensuring that you right click on the CMD and Run as adminstrator? The CMD prompt should then say administrator on the title and when you run DCDIAG, you know that it will run with administrator priveleges.

Also, verify what your Group Policy has set for LANman authentication level. I have known errors before as that has been due to Group Polict enforcing LN and NTLM authentication only and 2008 servers and other services have been using NTLMv2.

[Blood]

Thanks again for the replies. I'll get back to you in a couple of days as I am off work.

Off the top of my head - installation was by the book. Both servers are Global Catalogs.

Dcdiag was run as the domain administrator.

DC history:

First : HTL-Server - W2k DC, later updated to W2k3

A few years later, Titan - a W2k3 R2 DC added.

A few years later HTL-Server failed and was decommisioned and Phobos (W2k8) was installed.

Later, Titan went belly-up and I reformatted and reinstalled as Hydra, the present W2k3 R2.


More later - and again, thanks.

[Virtual]

Ok, no probs. Please do. With regards to DCDIAG, I have opened the command prompt before on a windows 2008 R2 server and then run it. I had some strange errors with regards to permissions though some tests passed. I then realises that although I was a Domain Administrator, running DCDIAG via the command prompt wasn't with Domain Administrator priveleges. Right clicking on the CMD and explicitly running as administrator allowed DCDIAG to run with Domain admin credentials.

[Blood]

When Titan was installed a new domain was created. So the present domain has seen 3 DC's thus far.

adprep has always been run when required. I always research adding a new domain controller in case 'good practice' has changed etc.

I ran dcdiag again via a command prompt running as 'Administrator' and the same output is seen.

I have checked 'Network Security: LAN Manager authentication level' in Group Policy and the setting is 'Not Defined'.

I have looked at the page referenced by RicklesP and again, reading the text and watching the video, it says that running the rodc parameter with adprep is optional and only required if a rodc is to be added to the domain.

What do you think? Any further thoughts\observations gratefully received.

[Virtual]

Unless RODCs are being addded, I don't run the optional switch, so as you have already mentioned, you don't need to run it.

If the setting is undefined then Windows 2008 systems will be running as NTLMv2 authentication.