A quick google showed DNS as a cause - I checked my DNS configuration and it was correct so I discarded this as the reason.
A few member servers were receiving the following error:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/01/2011 11:51:40 AM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: torwmg832.domain.local
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
On the details tab I was getting ErrorCode 49.
The following TechNet article from Microsoft says Error Code 49 is the following:
Error code 49 (Invalid credentials)
This error code might indicate that the user's password expired while the user is still logged on the computer.
To correct invalid credentials:
1. Change the user's password.
2. Lock/unlock the workstation.
3. Check if there are any system services running as the user account.
4. Verify the password in service configuration is correct for the user account.
http://technet.microsoft.com/en-us/library/cc727283.aspx
This error code description from Microsoft completely threw me off track diagnosing the computer account passwords, rejoining PC's to the domain and diagnosing the Kerberos Key Distribution Center (KDC) service.
All tests against the domain using nltest for the computer account were passing successfully!
/SC_QUERY:
I was confident it was nothing to do with authentication!
There were so many forum posts on the Internet leading to DNS as being the cause for this error. I decided to revisit my name resolution even though DNS was working correctly.
I checked the local host file. It was full of entries.
Removed these entries and the problem was resolved. A very simple fix for such a painful problem.
Hopefully this post will stop others from going through my pain!
Thanks a lot, have been troubleshooting this for a while. Had the same problem a host file with a lot of entries.
ReplyDeleteTHANK YOU!!! I too was having this issue. I removed the section of my HOSTS file that had my AD DCs in it and BINGO! Now the big question...WHY?
ReplyDeleteClint - Wow... Earlier I had to add 'certain' host look-up IP-->Name via the local hosts file, I forgot to remove these entries but never even though this was the issue!
ReplyDeleteAnyway, thanks again.
You are a saint...I've been searching for a resolution to this issue for some time!
ReplyDeleteI wonder what the cause is. When I look at the DNS zone for my Windows domain controller, I see the A record and then all of these SRV records:
_gc._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 3268 server1.corp.anonymous.com.
_kerberos._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
_ldap._tcp.Default-First-Site-Name._sites.corp.anonymous.com. 600 IN SRV 0 100 389 server1.corp.anonymous.com.
_gc._tcp.corp.anonymous.com. 600 IN SRV 0 100 3268 server1.corp.anonymous.com.
_kerberos._tcp.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
_kpasswd._tcp.corp.anonymous.com. 600 IN SRV 0 100 464 server1.corp.anonymous.com.
_ldap._tcp.corp.anonymous.com. 600 IN SRV 0 100 389 server1.corp.anonymous.com.
_kerberos._udp.corp.anonymous.com. 600 IN SRV 0 100 88 server1.corp.anonymous.com.
_kpasswd._udp.corp.anonymous.com. 600 IN SRV 0 100 464 server1.corp.anonymous.com.
server1.corp.anonymous.com. 1200 IN A 172.16.1.5
I'm assuming that at least part of the Group Policy update process needs to refer to an SRV record in DNS and these records aren't located if a hosts file provides initial resolution for the server. Yuck.
Thanks! I was seeing this same issue and your diagnosis resolved it.
ReplyDeletethank you :-)
ReplyDeleteYou rock! I've been pulling my hair out on this, off and on, for months. Would be nice if this site was the first hit off Google.
ReplyDeleteThanks a lot! That did the trick. Pretty ridiculous that the Hosts file would do that.
ReplyDeleteYup that was it, same issues with me. Your post solved my issue. Thank you.
ReplyDeleteWorkstation
Win7 Ultimate Virtual Box
Server
Win2008R2 DC
Thank you very much
ReplyDeletesame problem in Brazil
Cheers Clint,
ReplyDeleteWish I had seen this article first instead of, as you were, taken down the path of authentication issues.
save me from group policies error ;-)
ReplyDeleteThx
A VERY, VERY BIG THANK YOU!!! I was pulling my hair out because of this!! WHY, Microsoft, WHY!?
ReplyDeleteMan - this is incredible! You are the best! we definitely need to push up this answer as the best!
ReplyDeleteJust want to add a comment in hopes that this answer gets bumped up higher in the search results.
ReplyDeleteWas trying to get exchange SP2 installed and was failing something to do with the SCHEMA. Turns out having entries in the hosts file was causing all types of problems with active directory.
I can stop screaming now.
Thank you
hi - question for those who got this to work.. I am seeing the same alert on different servers but i dont see any entries in my hosts file. theyre clear.
ReplyDeleteanother thing I am noticing is that it is happening on servers which have a disconnected user logged in. I have removed the user and so far it doesnt alert yet. its so random and weird...like the people above im pulling my hair out on this.
ReplyDeleteThank you very much!!
ReplyDeleteBut the question is... Why?!
It sure did help me.. Thanks for posting.
ReplyDeleteThank you Clint!!!, you help a lot of people with this... great! I was all day searching until found your blog. Nothing about it on MSFT sites... amazing! You won a piece of heaven...
ReplyDeleteThank you very much!!!!
ReplyDeleteAmazing Solution!!!!
I had the same issue with cross forest domain trusts, this was affecting users who login to member servers via rdp sessions.
ReplyDeleteThe server had cached the login credentials forcing the accounts to lock.
Terminating the idle sessions resolved the problem.
Thanks a lot
ReplyDeleteTwo days of hard working! and crazy searching around the error! finally I have the lucky to be a visitor of your site.
ReplyDeleteThanks a lot!
This was great advice, FWIW, all I needed to do was comment out the hostname in question (versus deleting the hostfile). The hostname in question was a Windows 2008 Domain Controller with its own DNS entries installed and correct. By commenting out the line for "itself" in the host file (most lines are commented, used as documentation more than anything else).
ReplyDeleteJim Figlik
Great! Thanks a lot...
ReplyDeleteYour article has been helpful for many people including me..
ReplyDeleteWe deployed AD and Exchange Sever 2010 in single server, of course being joined other application server like Sharepoint Server 2010.
If I couldn't meet your article, we could reinstall whole development system..
You are Superman for us.. Thank you so much..
But I have a question for your article.. What is the relation hosts file entries of error?
+1
ReplyDeleteThanks a lot..
Fantastic! This was exactly my problem and solution. Thank you very much for posting this fix. You've just saved me many hours of pulling my hair out.
ReplyDeleteClint you are the man!!!!!
ReplyDeleteThank you so much for taking the time to post your problem and solution, it helped me a lot, Thanks again.
ReplyDeleteI can always trust Clint...your page should be higher in the search results.
ReplyDeleteAs for the technical reason i am still not clear.
Thanks Clint, this solved it for me too
ReplyDeleteyou are great! thanks!
ReplyDeleteIn my case is not working.In my host file there is no entry.Please help me
ReplyDeleteThanks! After trying a lot of promised solutions THIS is the only one that works :-)
ReplyDeleteHelped me too. Wasted many hours on this. Would have never guessed it was DC entries in the hosts file. Still wondering why that breaks GroupPolicy computer updates?
ReplyDeleteI don't have any such entries still facing the issue
ReplyDeletesame issue here.. i dont have any host entries and still see the error in event log
ReplyDeleteNo entries in the host file.
ReplyDeleteThe issue was resolved by logging off a user that was logged on for a long time and a group policy that was dscarded in the meanwhile, was the cause of the event log error.
Thanks Clint!!
ReplyDeleteThanks a lot..
ReplyDeleteThanks from spain!!
ReplyDeleteSpot on Thank you
ReplyDeletethanks you so much!
ReplyDeleteDownload New Windows 10 Keygen/Crack Free Working Here:
ReplyDeletehttp://dlhack.com/download/windows-10-crack
http://dlhack.com/download/windows-10-crack
http://dlhack.com/download/windows-10-crack
http://dlhack.com/download/windows-10-crack
http://dlhack.com/download/windows-10-crack
http://dlhack.com/download/windows-10-crack
http://dlhack.com/download/windows-10-crack
Nice content in this blog to get knowledge about window migration. Please post more related to it.
ReplyDeletewindows 7 migration
I'm Korean. Your Post is very helpful for me. thanks a lot.
ReplyDelete