Announcement

Collapse
No announcement yet.

A multitude of Directory Service events 1535, 2041,

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • A multitude of Directory Service events 1535, 2041,

    Hi, folks

    I am seeing 1000's of entries in the Directory Services Log on our W2k8 Standard Edition SP2 domain controller - comprising the following:


    Code:
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:29:48
    Event ID:      1535
    Task Category: LDAP Interface
    Level:         Information
    Keywords:      Classic
    User:          SYSTEM
    Computer:      Phobos.htlincs.local
    Description:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
    	'CN=Dfs-Configuration,CN=System,DC=htlincs,DC=local'
    
    
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:29:48
    Event ID:      2041
    Task Category: Internal Processing
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      Phobos.htlincs.local
    Description:
    Duplicate event log entries were suppressed. 
     
    See the previous event log entry for details. An entry is considered a duplicate if the event code and all of its insertion parameters are identical. The time period for this run of duplicates is from the time of the previous event to the time of this event. 
     
    Event Code:
    400005ff 
    Number of duplicate entries: 
    1
    
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:29:08
    Event ID:      1535
    Task Category: LDAP Interface
    Level:         Information
    Keywords:      Classic
    User:          HTLINCS\user1
    Computer:      Phobos.htlincs.local
    Description:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
    	'CN=System,DC=htlincs,DC=local'
    
    
    
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:29:48
    Event ID:      2041
    ...
    
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:28:47
    Event ID:      1535
    Task Category: LDAP Interface
    Level:         Information
    Keywords:      Classic
    User:          SYSTEM
    Computer:      Phobos.htlincs.local
    Description:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
    	'CN=Dfs-Configuration,CN=System,DC=htlincs,DC=local'
    
    
    
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:28:27
    Event ID:      1535
    Task Category: LDAP Interface
    Level:         Information
    Keywords:      Classic
    User:          HTLINCS\USER2$
    Computer:      Phobos.htlincs.local
    Description:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    
    
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          27/04/2012 14:27:41
    Event ID:      1535
    Task Category: LDAP Interface
    Level:         Information
    Keywords:      Classic
    User:          HTLINCS\user3
    Computer:      Phobos.htlincs.local
    Description:
    Internal event: The LDAP server returned an error. 
     
    Additional Data 
    Error value:
    0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
    	'CN=System,DC=htlincs,DC=local'

    They are quite frequent. Several are being logged each minute for computers and different users. As you can see http://img846.imageshack.us/img846/6321/dsldapprob.jpg these are 'Information' events, but their frequency and content have me concerned. I've search the web for some info but can't find anything that is relevant to this when using the error values. I see a lot of references to Exchange issues but we have never used Exchange.

    The domain, which is a single site on a single subnet with another DC running W2k3 R2 SP2 seems to be working fine. No problems. Apart from this, there are no problems in the logs.

    Anyone have any suggestions?

    dcdiag from Phobos which reports some errors (we don't have a RODC, nor do we plan to use one):

    Code:
    Directory Server Diagnosis
    
    
    Performing initial setup:
    
       Trying to find home server...
    
       Home Server = Phobos
    
       * Identified AD Forest. 
       Done gathering initial info.
    
    
    Doing initial required tests
    
       
       Testing server: Default-First-Site-Name\PHOBOS
    
          Starting test: Connectivity
    
             ......................... PHOBOS passed test Connectivity
    
    
    
    Doing primary tests
    
       
       Testing server: Default-First-Site-Name\PHOBOS
    
          Starting test: Advertising
    
             ......................... PHOBOS passed test Advertising
    
          Starting test: FrsEvent
    
             ......................... PHOBOS passed test FrsEvent
    
          Starting test: DFSREvent
    
             ......................... PHOBOS passed test DFSREvent
    
          Starting test: SysVolCheck
    
             ......................... PHOBOS passed test SysVolCheck
    
          Starting test: KccEvent
    
             ......................... PHOBOS passed test KccEvent
    
          Starting test: KnowsOfRoleHolders
    
             ......................... PHOBOS passed test KnowsOfRoleHolders
    
          Starting test: MachineAccount
    
             ......................... PHOBOS passed test MachineAccount
    
          Starting test: NCSecDesc
    
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 
    
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
    
             DC=ForestDnsZones,DC=htlincs,DC=local
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 
    
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
    
             DC=DomainDnsZones,DC=htlincs,DC=local
             ......................... PHOBOS failed test NCSecDesc
    
          Starting test: NetLogons
    
             ......................... PHOBOS passed test NetLogons
    
          Starting test: ObjectsReplicated
    
             ......................... PHOBOS passed test ObjectsReplicated
    
          Starting test: Replications
    
             ......................... PHOBOS passed test Replications
    
          Starting test: RidManager
    
             ......................... PHOBOS passed test RidManager
    
          Starting test: Services
    
             ......................... PHOBOS passed test Services
    
          Starting test: SystemLog
    
             An Warning Event occurred.  EventID: 0x0000C35F
    
                Time Generated: 04/27/2012   14:00:09
    
                EvtFormatMessage failed, error 15100 Win32 Error 15100.
                (Event String (event log = System) could not be retrieved, error
    
                0x3afc)
    
             An Warning Event occurred.  EventID: 0x0000C35F
    
                Time Generated: 04/27/2012   14:26:59
    
                EvtFormatMessage failed, error 15100 Win32 Error 15100.
                (Event String (event log = System) could not be retrieved, error
    
                0x3afc)
    
             An Warning Event occurred.  EventID: 0x0000C35F
    
                Time Generated: 04/27/2012   14:40:09
    
                EvtFormatMessage failed, error 15100 Win32 Error 15100.
                (Event String (event log = System) could not be retrieved, error
    
                0x3afc)
    
             ......................... PHOBOS passed test SystemLog
    
          Starting test: VerifyReferences
    
             ......................... PHOBOS passed test VerifyReferences
    
       
       
       Running partition tests on : ForestDnsZones
    
          Starting test: CheckSDRefDom
    
             ......................... ForestDnsZones passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... ForestDnsZones passed test
    
             CrossRefValidation
    
       
       Running partition tests on : DomainDnsZones
    
          Starting test: CheckSDRefDom
    
             ......................... DomainDnsZones passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... DomainDnsZones passed test
    
             CrossRefValidation
    
       
       Running partition tests on : Schema
    
          Starting test: CheckSDRefDom
    
             ......................... Schema passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... Schema passed test CrossRefValidation
    
       
       Running partition tests on : Configuration
    
          Starting test: CheckSDRefDom
    
             ......................... Configuration passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... Configuration passed test CrossRefValidation
    
       
       Running partition tests on : htlincs
    
          Starting test: CheckSDRefDom
    
             ......................... htlincs passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... htlincs passed test CrossRefValidation
    
       
       Running enterprise tests on : htlincs.local
    
          Starting test: LocatorCheck
    
             ......................... htlincs.local passed test LocatorCheck
    
          Starting test: Intersite
    
             ......................... htlincs.local passed test Intersite
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: A multitude of Directory Service events 1535, 2041,

    Your DCDiag results point out what looks like a permissions issue, under the NCSecDesc test. The Enterprise DC doesn't have expected access rights to the named zones in DNS. That could easily mean needed AD/LDAP entries aren't being added to the zones, and so you get the Directory Services errors.

    The types of errors from your event logs would seem to bear that out, with 'No Object', Insufficient access rights', etc. as NameErr: and SecErr: (security error).

    What functional level is your domain running at? How are your FSMO roles assigned?

    Worst case, you may have to demote this DC back to a member server so that the single 2003 DC holds all roles, clear out the metadata using ntdsutil, ensure you're running the domain at the 2003 functional level, then re-add the 2008 server as a second DC, being sure to follow MS guidance when you do. Check out this Technet blog with links to support articles:

    http://social.technet.microsoft.com/...-ff0effa2c662/
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: A multitude of Directory Service events 1535, 2041,

      Many thanks for replying.

      I was wondering about the dcdiag results and had checked that, but according to Microsoft if a RODC has not been set up then the failure notice can be ignored

      http://support.microsoft.com/kb/967482

      The domain functional level is 2003 and all FSMO roles are held by the 2008 DC, Phobos.

      I am really reluctant to demote the server because as well as DNS it also runs DHCP, DFS, WSUS and hosts our central installation of Sophos, as well as being the point at which VPN connections are authenticated via NPS.

      I have run dcdiag's DNS test on the server. It reports that it cannot find the IPV6 AAAA record but I assume this is because IPV6 is disabled in the network adaptor

      Code:
      Directory Server Diagnosis
      
      
      Performing initial setup:
      
         Trying to find home server...
      
         Home Server = Phobos
      
         * Identified AD Forest. 
         Done gathering initial info.
      
      
      Doing initial required tests
      
         
         Testing server: Default-First-Site-Name\PHOBOS
      
            Starting test: Connectivity
      
               ......................... PHOBOS passed test Connectivity
      
      
      
      Doing primary tests
      
         
         Testing server: Default-First-Site-Name\PHOBOS
      
         
            Starting test: DNS
      
               
      
               DNS Tests are running and not hung. Please wait a few minutes...
      
               ......................... PHOBOS passed test DNS
      
         
         Running partition tests on : ForestDnsZones
      
         
         Running partition tests on : DomainDnsZones
      
         
         Running partition tests on : Schema
      
         
         Running partition tests on : Configuration
      
         
         Running partition tests on : htlincs
      
         
         Running enterprise tests on : htlincs.local
      
            Starting test: DNS
      
               Test results for domain controllers:
      
                  
                  DC: Phobos.htlincs.local
      
                  Domain: htlincs.local
      
                  
      
                        
                     TEST: Basic (Basc)
                        Warning: The AAAA record for this DC was not found
                        
                     TEST: Records registration (RReg)
                        Network Adapter
      
                        [00000006] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client):
      
                        
      
                           Warning: 
                           Missing AAAA record at DNS server 192.168.0.10: 
                           Phobos.htlincs.local
                           
                           Warning: 
                           Missing AAAA record at DNS server 192.168.0.10: 
                           gc._msdcs.htlincs.local
                           
                     Warning: Record Registrations not found in some network adapters
      
               
                     Phobos                       PASS WARN PASS PASS PASS WARN n/a  
               ......................... htlincs.local passed test DNS
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: A multitude of Directory Service events 1535, 2041,

        Assuming your domain started with the Srvr 2003 device, was adprep run from the 2008 disc prior to adding the 2008 server? If not, then I'd have to say my previous answer may still be needed.

        Reading info found at: http://www.anitkb.com/2010/03/prepar...directory.html, it may be appropriate to run the cmd line for the RODC install, even if you're not going to have one. But whether that can safely be run after the 2008 server has been added as a DC and taken over all FSMO roles, I have no idea.

        BTW: wouldn't it be better to have the Forest-specific roles on the 2008 DC, and the domain-specific roles on the 2003 DC? Also copy the global catalog to both, in case one fails. It may even help with your situation, but I wouldn't bet on it.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Re: A multitude of Directory Service events 1535, 2041,

          The report of failed test NCSecDesc means you haven't run the adprep /rodcprep switch. If you are not going to have an RODC, you are ok to leave it as it is.

          Have you run the DCDIAG on the 2008 DC as an administrator by ensuring that you right click on the CMD and Run as adminstrator? The CMD prompt should then say administrator on the title and when you run DCDIAG, you know that it will run with administrator priveleges.

          Also, verify what your Group Policy has set for LANman authentication level. I have known errors before as that has been due to Group Polict enforcing LN and NTLM authentication only and 2008 servers and other services have been using NTLMv2.

          Comment


          • #6
            Re: A multitude of Directory Service events 1535, 2041,

            Thanks again for the replies. I'll get back to you in a couple of days as I am off work.

            Off the top of my head - installation was by the book. Both servers are Global Catalogs.

            Dcdiag was run as the domain administrator.

            DC history:

            First : HTL-Server - W2k DC, later updated to W2k3

            A few years later, Titan - a W2k3 R2 DC added.

            A few years later HTL-Server failed and was decommisioned and Phobos (W2k was installed.

            Later, Titan went belly-up and I reformatted and reinstalled as Hydra, the present W2k3 R2.


            More later - and again, thanks.
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: A multitude of Directory Service events 1535, 2041,

              Ok, no probs. Please do. With regards to DCDIAG, I have opened the command prompt before on a windows 2008 R2 server and then run it. I had some strange errors with regards to permissions though some tests passed. I then realises that although I was a Domain Administrator, running DCDIAG via the command prompt wasn't with Domain Administrator priveleges. Right clicking on the CMD and explicitly running as administrator allowed DCDIAG to run with Domain admin credentials.

              Comment


              • #8
                Re: A multitude of Directory Service events 1535, 2041,

                When Titan was installed a new domain was created. So the present domain has seen 3 DC's thus far.

                adprep has always been run when required. I always research adding a new domain controller in case 'good practice' has changed etc.

                I ran dcdiag again via a command prompt running as 'Administrator' and the same output is seen.

                I have checked 'Network Security: LAN Manager authentication level' in Group Policy and the setting is 'Not Defined'.

                I have looked at the page referenced by RicklesP and again, reading the text and watching the video, it says that running the rodc parameter with adprep is optional and only required if a rodc is to be added to the domain.

                What do you think? Any further thoughts\observations gratefully received.
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: A multitude of Directory Service events 1535, 2041,

                  Unless RODCs are being addded, I don't run the optional switch, so as you have already mentioned, you don't need to run it.

                  If the setting is undefined then Windows 2008 systems will be running as NTLMv2 authentication.

                  Comment

                  Working...
                  X