Event ID - 2087

Event Id2087
SourceMicrosoft-Windows-ActiveDirectory_DomainService
DescriptionActive Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. Source domain controller: dc2 Failing DNS host name: b0069e56-b19c-438a-8a1f-64866374dd6e._msdcs.contoso.com.
Event InformationAccording to Microsoft :
Cause :
This event is logged when the Active Directory could not resolve the DNS host name of the source domain controller to an IP address.
Resolution :
Correct connectivity issues between domain controllers
If a domain controller (the source domain controller) sends another domain controller (the destination domain controller) an update notification and the destination domain controller is not able to resolve the source domain controller name, the destination domain controller logs two events, Event ID 2087 and Event ID 2088, on destination domain controllers. This is true for domain controllers running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.
  • If all lookups fail, Event ID 2087 is logged.
  • If lookup succeeds but either the first or second replication attempt fails, Event ID 2088 is logged.
To ensure that the domain controllers that host the identified directory partition are accessible:
  1. Open a command prompt as an administrator on the domain controller that you need to fix. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. To ensure that there are no stale entries in the local DNS client resolver cache, run the command ipconfig /flushdns.
  3. Run the command dcdiag /test:dns /f:. Replace with a text file name that you want to use for the results. For example, if you are running the command on a computer name CORPDC1, run dcdiag /test:dns /f:corpdc1diag.txt, which delivers the results of the test to a file named corpdc1diag.txt.
  4. To review the results of the test, open the file that you created in step 3 in a text editor. For example, if the resulting file is named corpdc1diag.txt, you can open it in Notepad by running the command notepad corpdc1diag.txt. Dcdiag performs a connectivity test first. If you see that the connectivity test failed, verify physical connectivity to the network and basic IP settings, as described in step 5. Otherwise, continue to review the results of the DNS tests. If you have not configured IP version 6 (IPv6) or if you are not using it, it is normal to see the warning message "Warning: The AAAA record for this DC was not found.” Review the record registration (RReg) test results. Ensure that the test found all the appropriate record registrations. If the test cannot find the record registrations, you see failure messages. If this happens, try running the command dcdiag /fix to register the records. If you have multiple network adapters, you may see the message "Warning: Record registrations not found in some network adapters.” If you see the message, ensure that all your network adapters are configured properly for the networks to which they are connected. If you have network connections that are not connected to network segments to provide directory services or replication, ensure that the Register this connection's address in DNS check box is cleared in the DNS tab of the Advanced TCIP/IP Settings dialog box.
  5. 5.To verify physical connectivity and IP settings, run the command ipconfig /all. If the network adapter reports the message "media disconnected," fix the problem with the physical network connection. Otherwise, verify the IP configuration and DNS client settings. Fix any problems that you discover with these settings.
  6. Ensure that any firewall that is configured on the domain controller replication partners or between the domain controller replication partners is not blocking the necessary ports and protocols for replication.
  7. Confirm that the local domain controller has properly registered its DNS records. To do this, run the command nltest /dsgetdc: /force. This command forces the domain controller to refresh the DC Locator cache, and it determines whether a domain controller can be contacted. By default, the command should return the name of the local domain controller.
  8. If the name of the local domain controller is not returned, remove the DNS records by running the command nltest /dsderegdns:%lthostname%gt. Replace with the actual computer name of the domain controller. Then, register the DNS records again by running the command nltest /dsregdns. If the registration fails, ensure that DNS communications are working properly. Ensure that any firewall that is configured on the DNS server or between the local domain controller and the DNS server is not blocking UDP port 53, which is used for DNS record registration by default. Review the configuration of the DNS servers to which the local domain controller is pointed in its DNS client settings. Review the Event Viewer logs on the DNS server.
  9. Run the command repadmin /showrepl, which produces a list of partitions and domain controller replication partners. Check the other domain controllers in the list by repeating steps 1 through 8 on those domain controllers. If you want to run these commands from the local domain controller, you can add the switch /s:hostname to specify a different target computer for the tests. Replace hostname with the actual name of the target computer.
Verify :
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.Perform this procedure on the computer that is logging the event to be resolved.
  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. To ensure that there are no stale entries in the local DNS client resolver cache, run the command ipconfig /flushdns.
  3. To ensure that a domain controller can communicate with a replication partner, run the command nltest /dsgetdc: /force /avoidself. If the domain controller to which you are connected can locate another domain controller, information for the other domain controller appears and the final output of that command should read as follows: “The command completed successfully.” If the domain controller is unable to locate another domain controller, the message is “Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN”.
  4. To ensure that you have access to a global catalog server, run the command nltest /dsgetdc: /force /gc. Also, to ensure that the local domain controller has access to a DNS server, run the command nltest /dsgetdc: /force /dns. Both of these commands should complete successfully.
  5. Confirm that the DNS records are properly registered, and then run the command repadmin /showrepl to view the list of partitions to be replicated and the relative replication partners. Use this list to test replication of each partition from the local domain controller to the replication partner in the following step.
  6. To ensure that each partition can be replicated, use the command repadmin /replicate destinationhostname sourcehostname partition.
Reference LinksEvent ID 2087 from Source Microsoft-Windows-ActiveDirectory_DomainService

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.