locked
Additional DC LDAP Bind function call failed. RRS feed

  • Question

  • Hii guys

    i have a windows 2008 R2 forest that only contains 2 2008R2 sp1 domain controllers. recently i had promoted a new ADC at my DR site. 

    ADC was successfully promoted and automatic connections was created to the Head office site and DR site. things are looking really fine.

    but in my event log of new ADC i see the following events appear. 

    The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

    EventID-1006
    ErrorCode-49

    The Security System could not establish a secured connection with the server LDAP/DRsrv.Domainname/DomainName@DomainName. No authentication protocol was available.

    EventID>40961

    Then i tried to manually replicate the DR server with HOD servers but its failed with access denied error.

    Please provide me with a solution. 

    Thanks


    Asitha

    Thursday, May 17, 2012 6:37 AM

Answers

  • Hii

    Sorry for the delay response.

    issue is been solved. i had checked all the links you guys referred. but hardly found an solution. the issue is been vanished with time. 
    the only guess i have is firewall ports. may be some ports were blocked.

    thanks everyone for your kind response.


    Asitha

    • Marked as answer by Yan Li_ Friday, May 18, 2012 9:59 AM
    Friday, May 18, 2012 9:35 AM

All replies

  • Did you happen to check below Technet article?

    http://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx

    accoring to which ,

    Error code 49 (Invalid credentials)

    This error code might indicate that the user's password expired while the user is still logged on the computer.

    To correct invalid credentials: 

    1. Change the user's password.
    2. Lock/unlock the workstation.
    3. Check if there are any system services running as the user account.
    4. Verify the password in service configuration is correct for the user account.

    additionally refer below thread which disccuss the same issue

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3fdc100f-16cb-4d4d-b1ca-4ce00bc7bbcc

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/9658df5c-6b61-4f92-91fc-93ffe6318c88

    If none of the above mentioned works then refer below article

    http://clintboessen.blogspot.in/2011/01/microsoft-windows-grouppolicy-event-id.html

    Hope this infomration helps

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by rjasutis Friday, March 24, 2017 6:57 PM
    Thursday, May 17, 2012 6:46 AM
  • YES i check all of them.

    Hotfix is not applicable becouse i'm using 2008r2.

    User account is domain administrator, it isn't get locked.

    there are not any Hostfile entries. 

    Thanks.


    Asitha

    • Proposed as answer by alberto_ariboni Tuesday, September 11, 2018 2:22 PM
    Thursday, May 17, 2012 6:52 AM
  • Intresting!!!!

    Ok,

    I would suggest you to post unedited ipconfig /all from your ADC.

    and make sure your IPV6 is not disabled on the ADC. It should be enabled

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, May 17, 2012 7:02 AM

  • Check below link:
    http://eventid.net/display.asp?eventid=1006&eventno=10293&source=Microsoft-Windows-GroupPolicy&phase=1
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/387b8f88-ea25-4d61-86cb-7f4a0bb7683f

    It could be also due to dns name resolution issue.Ensure the following on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.

    Note:Also make sure the IPv6 is configured to dynamic (Automatically).

    I would recommend post ipconfig details of DC,dcdiag and repadmin /replsum output if the issue persist.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, May 17, 2012 7:10 AM

  •  @Asitha De Silva You might want to look at your reverse lookup zones as well, making sure its configured correctly.
    Thursday, May 17, 2012 7:37 AM
  • Take a look at below two article, might provide you some headway.

    http://blogs.technet.com/b/ad/archive/2009/03/20/downgrade-attack-a-little-more-info.aspx

    http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, May 17, 2012 8:55 AM
  • If this is a DC, I wonder what your dns configuration is looking like?  Please run from a command prompt and post an IPCONFIG /all

    Are there any firewalls that could be blocking ports between the two?

    Check out this EventLog site with others that have had the same failure as you.
    http://eventid.net/display-eventid-40961-source-LsaSrv-eventno-1398-phase-1.htm

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, May 17, 2012 12:02 PM
  • Hii

    Sorry for the delay response.

    issue is been solved. i had checked all the links you guys referred. but hardly found an solution. the issue is been vanished with time. 
    the only guess i have is firewall ports. may be some ports were blocked.

    thanks everyone for your kind response.


    Asitha

    • Marked as answer by Yan Li_ Friday, May 18, 2012 9:59 AM
    Friday, May 18, 2012 9:35 AM
  • Good know that issue has been resolved. However We don't have a exact root cause for this

    Cheers,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 9:38 AM
  • I know this thread is over 2 years old, however I found the same issue on our RD server, and the issue turned out to be drive mappings to the (single) DC using saved credentials (different to the user's log on account) and the password had expired.  Just disconnecting/deleting the mapped drives didn't fix it, I had to go into the Windows Credentials Manager (vault) and delete the saved credentials, then after a log-off & on the group policies worked OK again.  

    Cheers
    Matthew

    Monday, September 1, 2014 9:47 PM
  • This solution worked for me. I have been struggling with this for one month. I tried removing and re-joining the server to the domain but was of no use. Finally cleared all stored passwords from the Windows Credentials Manager (Vault) and succeeded.
    Sunday, March 1, 2015 12:33 PM
  • Thanks man, I have just ran into a similar issue, wasted a whole week on event viewer.
    Friday, July 24, 2015 5:50 PM
  • Had this today on a windows 7 (Gold Image) for VMware View VDI

    I was using the domain admin account,and had to leave and rejoin the domain before it would process properly?


    Regards Pete Long http://www.petenetlive.com

    Tuesday, August 30, 2016 12:43 PM
  • I know this is old but if anyone else is looking for the answer, this helped me.

    I've been seeing this alert for years and finally figured it out. A user/service account closed their session without logging out properly and then changed their password. The alert was triggered because the machine can't process the user based group policy settings due to the account being logged in with old credentials.

    Friday, March 24, 2017 7:07 PM
  • This would have been useful had you explained how to fix it.
    Monday, March 19, 2018 12:06 AM