Agentless User-ID (introduced in PAN-OS 5.0) has been configured on a Palo Alto Networks firewall. The system logs show "Connection failure" messages against the Domain Controller (DC). Pinging the FQDN of the DC verifies that the IP resolution is correct and the pings are successful.
Check to make sure the username entered on the firewall for the Active Directory admin account matches the case sensitive format defined in AD. This is the account created to enable the firewall to access the event logs in AD.
Ensure that the IP address, not FQDN, is entered when configuring the server monitoring. An IP address should be entered into the Network Address field.