Hello All.
I have an environment with three domain controllers all within the same site that are replicating between each other. We set up a Failover Cluster on two Windows 2016 nodes and noticed that it failed the Active Directory Configuration validation tests. The nodes failed this one test 100% of the time. After digging in the Event Viewer, we noticed that the error messages for cluster creation included the message "A more secure authentication method is required." We require the the group policy setting "Domain controller: LDAP server signing requirements" to be set to "Require signing", but out of curiosity we set it to "None" and lo and behold, the nodes started connecting to Active Directory.
But it doesn't end there. Although the Active Directory validation tests started succeeding, they only succeeded sometimes. In other words, sometimes Node 1 would succeed and Node 2 fails, sometimes Node 1 fails but Node 2 succeeds, sometimes they both fail, and sometimes they both succeed. Through a long mess of troubleshooting, we found out that if we removed one of the domain controllers from the DNS IP list on the nodes' NIC IPv4 properties, the validation tests would succeed 100% of the time. This points to a DNS issue, I'm guessing, but I'm not too sure.
When querying the domain suffix in nslookup, all three domain controllers return the correct IPs. All three domain controllers respond to port 636 and offer the correct certificate.
So my question is two-fold: what is preventing the nodes from connecting to Active Directory while LDAP server signing is required, and what manner of DNS issue prevents them from connecting if it is not?