Tuesday, January 11, 2011

Microsoft-Windows-GroupPolicy Event ID 1006

I had a very frustrating issue today with group policy at a client on a few member servers running Windows Server 2008 R2.

A quick google showed DNS as a cause - I checked my DNS configuration and it was correct so I discarded this as the reason.

A few member servers were receiving the following error:

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/01/2011 11:51:40 AM
Event ID: 1006
Task Category: None
Level: Error
Computer: torwmg832.domain.local
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

On the details tab I was getting ErrorCode 49.

The following TechNet article from Microsoft says Error Code 49 is the following:

Error code 49 (Invalid credentials)
This error code might indicate that the user's password expired while the user is still logged on the computer.
To correct invalid credentials:
1. Change the user's password.
2. Lock/unlock the workstation.
3. Check if there are any system services running as the user account.
4. Verify the password in service configuration is correct for the user account.


This error code description from Microsoft completely threw me off track diagnosing the computer account passwords, rejoining PC's to the domain and diagnosing the Kerberos Key Distribution Center (KDC) service.

All tests against the domain using nltest for the computer account were passing successfully!

/SC_QUERY: - Query secure channel for Domain on ServerName

I was confident it was nothing to do with authentication!

There were so many forum posts on the Internet leading to DNS as being the cause for this error. I decided to revisit my name resolution even though DNS was working correctly.

I checked the local host file. It was full of entries.

Removed these entries and the problem was resolved. A very simple fix for such a painful problem.

Hopefully this post will stop others from going through my pain!


  1. Thanks a lot, have been troubleshooting this for a while. Had the same problem a host file with a lot of entries.

  2. THANK YOU!!! I too was having this issue. I removed the section of my HOSTS file that had my AD DCs in it and BINGO! Now the big question...WHY?

  3. Clint - Wow... Earlier I had to add 'certain' host look-up IP-->Name via the local hosts file, I forgot to remove these entries but never even though this was the issue!

    Anyway, thanks again.

  4. You are a saint...I've been searching for a resolution to this issue for some time!

    I wonder what the cause is. When I look at the DNS zone for my Windows domain controller, I see the A record and then all of these SRV records:

    _gc._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 3268 server1.corp.anonymous.com.
    _kerberos._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
    _ldap._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 389 server1.corp.anonymous.com.
    _gc._tcp.corp.anonymous.com. 600 IN SRV 0 100 3268 server1.corp.anonymous.com.
    _kerberos._tcp.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
    _kpasswd._tcp.corp.anonymous.com. 600 IN SRV 0 100 464 server1.corp.anonymous.com.
    _ldap._tcp.corp.anonymous.com. 600 IN SRV 0 100 389 server1.corp.anonymous.com.
    _kerberos._udp.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
    _kpasswd._udp.corp.anonymous.com. 600 IN SRV 0 100 464 server1.corp.anonymous.com.
    server1.corp.anonymous.com. 1200 IN A

    I'm assuming that at least part of the Group Policy update process needs to refer to an SRV record in DNS and these records aren't located if a hosts file provides initial resolution for the server. Yuck.

  5. Thanks! I was seeing this same issue and your diagnosis resolved it.

  6. You rock! I've been pulling my hair out on this, off and on, for months. Would be nice if this site was the first hit off Google.

  7. Thanks a lot! That did the trick. Pretty ridiculous that the Hosts file would do that.

  8. Yup that was it, same issues with me. Your post solved my issue. Thank you.

    Win7 Ultimate Virtual Box

    Win2008R2 DC

  9. Thank you very much

    same problem in Brazil

  10. Cheers Clint,
    Wish I had seen this article first instead of, as you were, taken down the path of authentication issues.

  11. save me from group policies error ;-)


  12. A VERY, VERY BIG THANK YOU!!! I was pulling my hair out because of this!! WHY, Microsoft, WHY!?

  13. Man - this is incredible! You are the best! we definitely need to push up this answer as the best!

  14. Just want to add a comment in hopes that this answer gets bumped up higher in the search results.

    Was trying to get exchange SP2 installed and was failing something to do with the SCHEMA. Turns out having entries in the hosts file was causing all types of problems with active directory.

    I can stop screaming now.

    Thank you

  15. hi - question for those who got this to work.. I am seeing the same alert on different servers but i dont see any entries in my hosts file. theyre clear.

  16. another thing I am noticing is that it is happening on servers which have a disconnected user logged in. I have removed the user and so far it doesnt alert yet. its so random and weird...like the people above im pulling my hair out on this.

  17. Thank you very much!!
    But the question is... Why?!

  18. It sure did help me.. Thanks for posting.

  19. Thank you Clint!!!, you help a lot of people with this... great! I was all day searching until found your blog. Nothing about it on MSFT sites... amazing! You won a piece of heaven...

  20. Thank you very much!!!!

    Amazing Solution!!!!

  21. I had the same issue with cross forest domain trusts, this was affecting users who login to member servers via rdp sessions.
    The server had cached the login credentials forcing the accounts to lock.
    Terminating the idle sessions resolved the problem.

  22. Two days of hard working! and crazy searching around the error! finally I have the lucky to be a visitor of your site.
    Thanks a lot!

  23. This was great advice, FWIW, all I needed to do was comment out the hostname in question (versus deleting the hostfile). The hostname in question was a Windows 2008 Domain Controller with its own DNS entries installed and correct. By commenting out the line for "itself" in the host file (most lines are commented, used as documentation more than anything else).

    Jim Figlik

  24. Great! Thanks a lot...

  25. Your article has been helpful for many people including me..
    We deployed AD and Exchange Sever 2010 in single server, of course being joined other application server like Sharepoint Server 2010.
    If I couldn't meet your article, we could reinstall whole development system..
    You are Superman for us.. Thank you so much..

    But I have a question for your article.. What is the relation hosts file entries of error?

  26. Fantastic! This was exactly my problem and solution. Thank you very much for posting this fix. You've just saved me many hours of pulling my hair out.

  27. Thank you so much for taking the time to post your problem and solution, it helped me a lot, Thanks again.

  28. I can always trust Clint...your page should be higher in the search results.

    As for the technical reason i am still not clear.

  29. Thanks Clint, this solved it for me too

  30. you are great! thanks!

  31. In my case is not working.In my host file there is no entry.Please help me

  32. Thanks! After trying a lot of promised solutions THIS is the only one that works :-)

  33. Helped me too. Wasted many hours on this. Would have never guessed it was DC entries in the hosts file. Still wondering why that breaks GroupPolicy computer updates?

  34. I don't have any such entries still facing the issue

  35. same issue here.. i dont have any host entries and still see the error in event log

  36. No entries in the host file.
    The issue was resolved by logging off a user that was logged on for a long time and a group policy that was dscarded in the meanwhile, was the cause of the event log error.

  37. Thanks from spain!!

  38. Spot on Thank you

  39. thanks you so much!

  40. Nice content in this blog to get knowledge about window migration. Please post more related to it.
    windows 7 migration

  41. I'm Korean. Your Post is very helpful for me. thanks a lot.