Tuesday, January 11, 2011

Microsoft-Windows-GroupPolicy Event ID 1006

I had a very frustrating issue today with group policy at a client on a few member servers running Windows Server 2008 R2.

A quick google showed DNS as a cause - I checked my DNS configuration and it was correct so I discarded this as the reason.

A few member servers were receiving the following error:



Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/01/2011 11:51:40 AM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: torwmg832.domain.local
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.


On the details tab I was getting ErrorCode 49.



The following TechNet article from Microsoft says Error Code 49 is the following:

Error code 49 (Invalid credentials)
This error code might indicate that the user's password expired while the user is still logged on the computer.
To correct invalid credentials:
1. Change the user's password.
2. Lock/unlock the workstation.
3. Check if there are any system services running as the user account.
4. Verify the password in service configuration is correct for the user account.

http://technet.microsoft.com/en-us/library/cc727283.aspx

This error code description from Microsoft completely threw me off track diagnosing the computer account passwords, rejoining PC's to the domain and diagnosing the Kerberos Key Distribution Center (KDC) service.

All tests against the domain using nltest for the computer account were passing successfully!

/SC_QUERY: - Query secure channel for Domain on ServerName



I was confident it was nothing to do with authentication!

There were so many forum posts on the Internet leading to DNS as being the cause for this error. I decided to revisit my name resolution even though DNS was working correctly.

I checked the local host file. It was full of entries.



Removed these entries and the problem was resolved. A very simple fix for such a painful problem.

Hopefully this post will stop others from going through my pain!

53 comments:

  1. Thanks a lot, have been troubleshooting this for a while. Had the same problem a host file with a lot of entries.

    ReplyDelete
  2. THANK YOU!!! I too was having this issue. I removed the section of my HOSTS file that had my AD DCs in it and BINGO! Now the big question...WHY?

    ReplyDelete
  3. Clint - Wow... Earlier I had to add 'certain' host look-up IP-->Name via the local hosts file, I forgot to remove these entries but never even though this was the issue!

    Anyway, thanks again.

    ReplyDelete
  4. You are a saint...I've been searching for a resolution to this issue for some time!

    I wonder what the cause is. When I look at the DNS zone for my Windows domain controller, I see the A record and then all of these SRV records:

    _gc._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 3268 server1.corp.anonymous.com.
    _kerberos._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
    _ldap._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 389 server1.corp.anonymous.com.
    _gc._tcp.corp.anonymous.com. 600 IN SRV 0 100 3268 server1.corp.anonymous.com.
    _kerberos._tcp.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
    _kpasswd._tcp.corp.anonymous.com. 600 IN SRV 0 100 464 server1.corp.anonymous.com.
    _ldap._tcp.corp.anonymous.com. 600 IN SRV 0 100 389 server1.corp.anonymous.com.
    _kerberos._udp.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
    _kpasswd._udp.corp.anonymous.com. 600 IN SRV 0 100 464 server1.corp.anonymous.com.
    server1.corp.anonymous.com. 1200 IN A 172.16.1.5

    I'm assuming that at least part of the Group Policy update process needs to refer to an SRV record in DNS and these records aren't located if a hosts file provides initial resolution for the server. Yuck.

    ReplyDelete
  5. Thanks! I was seeing this same issue and your diagnosis resolved it.

    ReplyDelete
  6. You rock! I've been pulling my hair out on this, off and on, for months. Would be nice if this site was the first hit off Google.

    ReplyDelete
  7. Thanks a lot! That did the trick. Pretty ridiculous that the Hosts file would do that.

    ReplyDelete
  8. Yup that was it, same issues with me. Your post solved my issue. Thank you.

    Workstation
    Win7 Ultimate Virtual Box

    Server
    Win2008R2 DC

    ReplyDelete
  9. Thank you very much

    same problem in Brazil

    ReplyDelete
  10. Cheers Clint,
    Wish I had seen this article first instead of, as you were, taken down the path of authentication issues.

    ReplyDelete
  11. save me from group policies error ;-)

    Thx

    ReplyDelete
  12. A VERY, VERY BIG THANK YOU!!! I was pulling my hair out because of this!! WHY, Microsoft, WHY!?

    ReplyDelete
  13. Man - this is incredible! You are the best! we definitely need to push up this answer as the best!

    ReplyDelete
  14. Just want to add a comment in hopes that this answer gets bumped up higher in the search results.

    Was trying to get exchange SP2 installed and was failing something to do with the SCHEMA. Turns out having entries in the hosts file was causing all types of problems with active directory.

    I can stop screaming now.

    Thank you

    ReplyDelete
  15. hi - question for those who got this to work.. I am seeing the same alert on different servers but i dont see any entries in my hosts file. theyre clear.

    ReplyDelete
  16. another thing I am noticing is that it is happening on servers which have a disconnected user logged in. I have removed the user and so far it doesnt alert yet. its so random and weird...like the people above im pulling my hair out on this.

    ReplyDelete
  17. Thank you very much!!
    But the question is... Why?!

    ReplyDelete
  18. It sure did help me.. Thanks for posting.

    ReplyDelete
  19. Thank you Clint!!!, you help a lot of people with this... great! I was all day searching until found your blog. Nothing about it on MSFT sites... amazing! You won a piece of heaven...

    ReplyDelete
  20. Thank you very much!!!!

    Amazing Solution!!!!

    ReplyDelete
  21. I had the same issue with cross forest domain trusts, this was affecting users who login to member servers via rdp sessions.
    The server had cached the login credentials forcing the accounts to lock.
    Terminating the idle sessions resolved the problem.

    ReplyDelete
  22. Two days of hard working! and crazy searching around the error! finally I have the lucky to be a visitor of your site.
    Thanks a lot!

    ReplyDelete
  23. This was great advice, FWIW, all I needed to do was comment out the hostname in question (versus deleting the hostfile). The hostname in question was a Windows 2008 Domain Controller with its own DNS entries installed and correct. By commenting out the line for "itself" in the host file (most lines are commented, used as documentation more than anything else).

    Jim Figlik

    ReplyDelete
  24. Great! Thanks a lot...

    ReplyDelete
  25. Your article has been helpful for many people including me..
    We deployed AD and Exchange Sever 2010 in single server, of course being joined other application server like Sharepoint Server 2010.
    If I couldn't meet your article, we could reinstall whole development system..
    You are Superman for us.. Thank you so much..

    But I have a question for your article.. What is the relation hosts file entries of error?

    ReplyDelete
  26. +1
    Thanks a lot..

    ReplyDelete
  27. Fantastic! This was exactly my problem and solution. Thank you very much for posting this fix. You've just saved me many hours of pulling my hair out.

    ReplyDelete
  28. Thank you so much for taking the time to post your problem and solution, it helped me a lot, Thanks again.

    ReplyDelete
  29. I can always trust Clint...your page should be higher in the search results.

    As for the technical reason i am still not clear.

    ReplyDelete
  30. Thanks Clint, this solved it for me too

    ReplyDelete
  31. you are great! thanks!

    ReplyDelete
  32. In my case is not working.In my host file there is no entry.Please help me

    ReplyDelete
  33. Thanks! After trying a lot of promised solutions THIS is the only one that works :-)

    ReplyDelete
  34. Helped me too. Wasted many hours on this. Would have never guessed it was DC entries in the hosts file. Still wondering why that breaks GroupPolicy computer updates?

    ReplyDelete
  35. I don't have any such entries still facing the issue

    ReplyDelete
  36. same issue here.. i dont have any host entries and still see the error in event log

    ReplyDelete
  37. No entries in the host file.
    The issue was resolved by logging off a user that was logged on for a long time and a group policy that was dscarded in the meanwhile, was the cause of the event log error.

    ReplyDelete
  38. Thanks from spain!!

    ReplyDelete
  39. Spot on Thank you

    ReplyDelete
  40. thanks you so much!

    ReplyDelete
  41. I would like to share with you my experience, I went to www.vinhugo.com to buy a key, to my surprise, their attitude is very good, but the key work is normal, there is very little money I spent, very happy the first purchase and recommend it to you.

    ReplyDelete
  42. Nice content in this blog to get knowledge about window migration. Please post more related to it.
    windows 7 migration

    ReplyDelete
  43. I'm Korean. Your Post is very helpful for me. thanks a lot.

    ReplyDelete