Link to home
Start Free TrialLog in
Avatar of Phil B
Phil B

asked on

LDAP Binding Error Applying GPO's

Hello,
We are starting to apply GPO's to our live domain and we are running into some problems that our test domain didn't do.

All local machines are running on Windows 7 pro.

When I enforce Group Policy using gpupdate /force everything runs fine on the DC but when I go to the local machine I get the following error when I run gpupdate /force: LDAP Bind Function Call Failed with error code 49

So I did some research on this error come to find out Microsoft says that this is a profile issue. So I proceed to investigate. I found a tool from sysinternals to check to see if I had any corrupted profiles:
Using PSTools I ran this from an elevated cmd prompt:
PsExec.exe -i -s cmd.exe
rundll32.exe keymgr.dll, KRShowKeyMgr
No corrupted profiles as I suspected as this is a brand new install on a local machine.

Next I checked to see if I had the Authenicated Users in the Delegation tab and yep I do.
Next I tried to do a restart of the Netlogon service. That still didn't work. I tried restarting the server too and that didn't work.

I have tested my secure channels following this article:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

I checked the services for the netlogon and those are set to default local system account on the server. (Automatically starting)

The only forwarder that we have is 8.8.8.8.

No External DNS servers.

We only have one DNS server.

Kerberos policy is set to 5 minutes.

I have ran a klist tickets cmd and I only have one ticket come back and it was mine. Guid._msdcs.DomanName.com could not be resolved to an ip address.

I have ran DCDiag /test:DNS and it came back with an error:

Summary of DNS test result:

Auth=Pass, Basc = Fail, Forw=Pass, Del=Pass, Dyn=Warn,RReg=Fail, Ext= n/a

I also ran dcdiag /test:registerindns /dnsdomain:DomainName.com

result: DNS configuration is sufficient to allow this domain controllerto dynamically register the domain controller Locator records in DNS
DcDiag cannot reach a conclusive result because it cannot interpret the following message that was returned: 9003

I also ran nltest /dsregdns and I am still having DNS issues.

I have deleted the CNAME record in the DNS folder for the DC and I have re-added it to the  DNS folder and still no differing results.  
                               
Following this article here:
https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

The firewall is on the outside of the network protecting the computer inside the domain. So there is no DC between the firewall that I am aware of.

We did correct a time issue where the server was getting the time from the local server. We changed that to be an external source from the pool ip addresses and now all local machines are running on the correct time.

I've even checked with wireshark and I do see errors but I'm not sure this is the source of my problem.

So I decided to do some more researching and I found out that it could possibly be a DNS error. So I thought I would try to leave the domain and re-add, that didn't work. I even looked to see if I had any additional host files that I shouldn't have. Nope nada.

I honestly don' t know what to do next.

I did find out that we had some subcontractors in our domain controller and it appears that they may have messed some things up for instance we were not getting any reverse lookups at all and now that is corrected there are two NS server file names in which are still there but I don't think we need two.
I will say that when I was looking through event logs I saw the error code 1222 right beside the error code 49 and I am wondering if the two are related or not? Although this computer hasn't ever been off of our domain so I am not sure how it would get the 1222 error code.
This has even happened on a brand new install computer too.

Has anyone else ran into this issue?
I have done lots of research and there does seem to be alot of LDAP binding issues among other users, but those seemed to get fixed relatively easily. So I'm not sure what else to do.
I'm open to suggestions and ideas.

I am thinking that this is a DNS issue. But for some reason I still can't seem to get this resolved. I'm not seeing anything out of the ordinary in the DNS role on the server.

Thanks!
Avatar of Aard Vark
Aard Vark
Flag of Australia image

When I enforce Group Policy using gpupdate /force everything runs fine on the DC but when I go to the local machine I get the following error when I run gpupdate /force: LDAP Bind Function Call Failed with error code 49

Error Code 49 with LDAP is usually related to invalid credentials. See Microsoft documentation around Error Code 49 and LDAP here.

Are there any issues with the computer or user accounts (disabled, etc.)? I'm going to say no because you can log on.
Does it do this for all computers/users in scope of the GPO?
What results do you get for gpupdate /force /target:user?
What results do you get for gpupdate /force /target:computer?
Does the user account have any logon time restrictions?

I'm leaning toward a user account issue or a DNS issue.
GPUPDATE /FORCE does not have any options other than for /force.

here are all the switches for GPUPDATE:
https://technet.microsoft.com/en-us/library/bb490983.aspx


Gpupdate



Refreshes local and Active Directory-based Group Policy settings, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.

Syntax

gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot]

 Top of page


Parameters

/target: { computer | user }  : Processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.

/force   : Ignores all processing optimizations and reapplies all settings.

/wait: value    : Number of seconds that policy processing waits to finish. The default is 600 seconds. 0 means "no wait"; -1 means "wait indefinitely."

/logoff   : Logs off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.

/boot   : Restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.

/? : Displays help at the command prompt.

GPUPDATE /FORCE does not have any options other than for /force.

Well, the help text you have pasted says otherwise and it works fine for me. Microsoft's documentation also says otherwise as per the docs site here:

gpupdate [/target:{Computer | User}] [/force] [/wait:<VALUE>] [/logoff] [/boot] [/sync] [/?]

Open in new window


Running /force with the /target switch has the intended outcome, as per the command line parameters, of processing the user settings only.

 User generated image
The event logs show the same outcome too. Or am I misunderstanding what you're saying?
Avatar of Phil B
Phil B

ASKER

I am going to test this tomorrow to see if I can enforce just one or the other.

Also after looking at my dcdiag test DNS results I think I am going to run another portqueryui from microsoft and see what ports are open and which ones are closed.

But another in my DNS server is that I have two name servers (NS) which from what I have studied I should only have one. But I am not sure this would be causing my ldap issues.
Are you pointing all clients to your DC for DNS?

Maybe post an IPCONFIG from one of the client machines.
SOLUTION
Avatar of Aard Vark
Aard Vark
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Phil B

ASKER

But what I would say is how many domain controllers do you have?

We only have one Domain controller.

I assume you are using AD integrated DNS

Yes I'm pretty certain it is a integrated DNS.

To answer you last question yes I have been checking them over and over again. I'm still relatively new for DNS servers and we are a small company so other people in our company don't have much experience either. This AD was not set up by us which makes it more difficult to know what was done and what wasn't.


Are you pointing all clients to your DC for DNS?

Yes they are all supposed to be pointing to this server I do know there are a few they may not be, but the majority is.

Maybe post an IPCONFIG from one of the client machines.

I can post some tom when I am at work.
Avatar of Phil B

ASKER

Testing just the user and computer configuration came up with the same result.
Can you post their IPCONFIG /ALL?
With one DC you have no replication related issues.
When you install the ADDS role do you recall if you where prompted to setup Integrated DNS?
Avatar of Phil B

ASKER

When you install the ADDS role do you recall if you where prompted to setup Integrated DNS?

Never installed it. This AD has been installed for about 5 years so I have no idea how it was installed. I will say they have never tried to apply group policy until now.

With the ipconfig /all I'm not really sure how much of that I can show since this is a public forum for security reasons. What is it that you are looking for maybe I can confirm it.
Ok.
When you run IPCONFIG does the client point to the DC or some other DNS server?
With Group Policy it is a major part of AD and should work without any issues.
Avatar of Phil B

ASKER

When you run IPCONFIG does the client point to the DC or some other DNS server?
With Group Policy it is a major part of AD and should work without any issues.


It points to the DC.

I've tried to use ldp.exe and it is telling me when I use my own credentials that the binding has failed, too.

On group policy in our test environment off of the live network. Group policy works great, didn't have any issues. It's only when I went to the live domain that I started having problems.
Your account may not be a Domain Admin.
This seems to be a very strange issue that I personally never have seen.  

You mentioned a test environment.  Is this test environment completely segmented from your production environment?
Is the same machine used to run against your test environment being used for your production one?
Avatar of Phil B

ASKER

Your account may not be a Domain Admin.
This seems to be a very strange issue that I personally never have seen.  

You mentioned a test environment.  Is this test environment completely segmented from your production environment?
Is the same machine used to run against your test environment being used for your production one?

Sorry if I wasn't clear before. Yes our test environment is completely off of our live domain. They have no connections whatsover not even internet connections.

The local machine that I have been using to test has never been on the test environment and has always been in the live domain.

On the domain Admin part are you referring to the AD or the local machine? either way I typically log in as the administrator on both. Bc I have found out that some things will not be applied unless I am the admin.

I hope that makes sense.

And yes I know this is a tough one. I have been studying this issue for several weeks and it really has gotten me stumped. I've read article after article on how to correct this issue and everything these articles has suggested (or blogs or anything really) turns out not to be the answer.

I will say my colleagues have stated that since the inception of this AD they have ALWAYS (caps for emphasis) had connection issues. They can't ever seem to get that resolved fully. I'm wondering if the two are related somehow?
It sure would seem so.
You mentioned that you have looked at your Event Logs and found the code 49, but are there other errors or warnings that jump out on both the system and application logs?

There may lie the smoking gun.
Avatar of Phil B

ASKER

You mentioned that you have looked at your Event Logs and found the code 49, but are there other errors or warnings that jump out on both the system and application logs?

There is a code that is right beside the code 49 and it is code 1222, those seem to be co-joined every single time I see that error.
Avatar of Phil B

ASKER

When I run ldp.exe I get this:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: <empty>
Avatar of Phil B

ASKER

Also I noticed somewhat new error today on the DNS role:

Issue:
The Active Directory integrated DNS zone _msdcs.Domain.com was not found.

Impact:
DNS queries for the Active Directory integrated zone _msdcs.Domain.com might fail.

Resolution:
Restore the Active Directory integrated DNS zone _msdcs.Domain.com.


How would I resolve this and would it be causing binding errors?
Avatar of Phil B

ASKER

Looking at this https://www.experts-exchange.com/articles/1073/Diagnosing-and-repairing-Events-1030-and-1058.html

I have found another problem but I am not sure how to fix it.

My sysvol folder where the gpo is located is a subfolder of the sysvol.

So if I have this problem what is the best practice to correct this without taking down my live domain?
Avatar of Phil B

ASKER

Found some brand new errors that were popping up today. These are on the client machine:

Name: Group Policy
Event ID: 1055
Error Code: 1355

Name: Schannel
Event ID: 36887
Error Code: 40

Name: Schannel
Event ID: 36888
Error Code: 10
Internal Error Code: 10

This was after I deleted the whole entire GPO and then I recreated the GPO and tried to enforce it.
how many GPO's in total?

Some tools that you can use to help you narrow it down.
From the client's machine
  • RSOP
  • gpresult /h .\Filename.html

Machine with RSAT (You DC will 100% be able to do this)
  • GPMC > Group Policy Result  > Wizard

User generated image
I like using GPMC to get detail
Avatar of Phil B

ASKER

Yes I have already used those.

When I run gpresult /r it shows me that the group policy hasn't been applied on the user settings. Now if there is something else I should focus on the rsop then I'm all ears.

I have ran that wizard and you're right it does give you tons of information. I will admit I am a tad green so with all that information i'm not entirely sure if something is good or something is a little off.

When I am at work tom I will run everything again, but all these I know I have done at least once if not multiple times, lol.
From what you are saying it sounds like the computers are getting the settings and the users are not.

Do you have any special security set for the users or maybe you have the GPO in a lower OU than the user objects or blocked inheritance is applied.

There are so many possible things to look at.
  • Security Filtering
  • Blocked inheritance
  • Delegation
User generated image
User generated image
Avatar of Phil B

ASKER

Sorry I need to retract what I said above, because it doesn't seem like I said it correctly.

Both computer and user settings aren't being applied when I run the gpresult /r (rsop)

When I was thinking of user settings I was thinking of the group policy that we are trying to put in place. That one should be under user settings. The group policy that we are trying to configure is the screen saver lockout via group policy. But every time I try to force it on the client machine I get the LDAP binding error.
Do you have a screenshot of your GPO (Redact any confidential info)?
Avatar of Phil B

ASKER

Here is what I have, I'm not sure exactly what you are looking for:

User generated image
I was looking for what your security settings and OU hierarchy looks like.
Avatar of Phil B

ASKER

I was looking for what your security settings and OU hierarchy looks like.

Here is what our Hieracrcy looks like: User generated image
And here:
User generated image
For security is this what you are looking for?
User generated image
do you users reside in the IT TEST GROUP OU?
Avatar of Phil B

ASKER

Not all users! But for the purposes of group policies yes.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Phil B

ASKER

yes :

Short answer and very last part:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
      {NtAuthIdentity: User='xxxx'; Pwd=<unavailable>; domain = 'DomainName.com'}
Authenticated as: 'DomainName\User'.

You know what I notice a difference I ran this before and I got a fail to bind. I am not seeing that now. I am going to hunt my records that I have been keeping and see if I can show you a failed one.
Avatar of Phil B

ASKER

This is the error that I have seen before:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='xxxx'; Pwd=<unavailable>; domain = 'DomainName.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.

I never had it not be that error when I rand ldp.exe.

hmmmmmm.........................
Found this thread on Microsoft:
https://social.technet.microsoft.com/Forums/ie/en-US/eccd931f-18e8-43f7-b563-3ac7ba84ee55/weird-ldp-issue?forum=winserverDS

Not sure if you tried using the pre-2000 format domain\user to logon?
Avatar of Phil B

ASKER

The only thing I have changed today is I deleted a extra NS file in the DNS role. That's the only thing I did. But when I ran a gpupdate /force after that it still failed to apply the group policy.
So it seems like it is binding now. But if it is binding then why is it giving me an error when I run gpupdate /force. Let me investigate a little more.
Avatar of Phil B

ASKER

I just re-ran gpupdate/ force again and it is not giving me any errors now.

So that extra NS file must of been causing those issues.
what extra NS?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
There you go.  AD relies heavily on DNS.  

Good find.
You do not have to award me points.  I did not give you anything that would have made you look at your NS.
I'm not really sure how the points are being distributed here. If the problem was there were extra name servers in your DNS zones, then the answer was given then when told you to validate the number of name servers in your DNS zones here. Instead you've picked answer saying to try ldp.exe? This doesn't lead to a good outcome to someone coming along later looking into a similar issue.
Still not sure why I am getting any points for this one.
Avatar of Phil B

ASKER

It ended up being an extra NS (name server) in the DNS folder/role.