LDAP Binding Error Applying GPO's

Hello,
We are starting to apply GPO's to our live domain and we are running into some problems that our test domain didn't do.

All local machines are running on Windows 7 pro.

When I enforce Group Policy using gpupdate /force everything runs fine on the DC but when I go to the local machine I get the following error when I run gpupdate /force: LDAP Bind Function Call Failed with error code 49

So I did some research on this error come to find out Microsoft says that this is a profile issue. So I proceed to investigate. I found a tool from sysinternals to check to see if I had any corrupted profiles:
Using PSTools I ran this from an elevated cmd prompt:
PsExec.exe -i -s cmd.exe
rundll32.exe keymgr.dll, KRShowKeyMgr
No corrupted profiles as I suspected as this is a brand new install on a local machine.

Next I checked to see if I had the Authenicated Users in the Delegation tab and yep I do.
Next I tried to do a restart of the Netlogon service. That still didn't work. I tried restarting the server too and that didn't work.

I have tested my secure channels following this article:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

I checked the services for the netlogon and those are set to default local system account on the server. (Automatically starting)

The only forwarder that we have is 8.8.8.8.

No External DNS servers.

We only have one DNS server.

Kerberos policy is set to 5 minutes.

I have ran a klist tickets cmd and I only have one ticket come back and it was mine. Guid._msdcs.DomanName.com could not be resolved to an ip address.

I have ran DCDiag /test:DNS and it came back with an error:

Summary of DNS test result:

Auth=Pass, Basc = Fail, Forw=Pass, Del=Pass, Dyn=Warn,RReg=Fail, Ext= n/a

I also ran dcdiag /test:registerindns /dnsdomain:DomainName.com

result: DNS configuration is sufficient to allow this domain controllerto dynamically register the domain controller Locator records in DNS
DcDiag cannot reach a conclusive result because it cannot interpret the following message that was returned: 9003

I also ran nltest /dsregdns and I am still having DNS issues.

I have deleted the CNAME record in the DNS folder for the DC and I have re-added it to the  DNS folder and still no differing results.  
                               
Following this article here:
https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

The firewall is on the outside of the network protecting the computer inside the domain. So there is no DC between the firewall that I am aware of.

We did correct a time issue where the server was getting the time from the local server. We changed that to be an external source from the pool ip addresses and now all local machines are running on the correct time.

I've even checked with wireshark and I do see errors but I'm not sure this is the source of my problem.

So I decided to do some more researching and I found out that it could possibly be a DNS error. So I thought I would try to leave the domain and re-add, that didn't work. I even looked to see if I had any additional host files that I shouldn't have. Nope nada.

I honestly don' t know what to do next.

I did find out that we had some subcontractors in our domain controller and it appears that they may have messed some things up for instance we were not getting any reverse lookups at all and now that is corrected there are two NS server file names in which are still there but I don't think we need two.
I will say that when I was looking through event logs I saw the error code 1222 right beside the error code 49 and I am wondering if the two are related or not? Although this computer hasn't ever been off of our domain so I am not sure how it would get the 1222 error code.
This has even happened on a brand new install computer too.

Has anyone else ran into this issue?
I have done lots of research and there does seem to be alot of LDAP binding issues among other users, but those seemed to get fixed relatively easily. So I'm not sure what else to do.
I'm open to suggestions and ideas.

I am thinking that this is a DNS issue. But for some reason I still can't seem to get this resolved. I'm not seeing anything out of the ordinary in the DNS role on the server.

Thanks!
Phil BIT Helpdesk TechicianAsked:
Who is Participating?
 
Phil BIT Helpdesk TechicianAuthor Commented:
Oh in our DNS folder we had an extra NS file (Name Server) and I had no idea why it was there. I ran nslookup to verify which NS was the correct one and I deleted the other one.

We had issues with our DNS and we had subcontractors in there and they messed a bunch of stuff up. Also my colleagues stated that they always had issues with connectivity.  I wasn't here  when they implemented the new AD and they told me they had all sorts of issues with it.

So that is why I started to investigate the DNS.
0
 
LearnctxEngineerCommented:
When I enforce Group Policy using gpupdate /force everything runs fine on the DC but when I go to the local machine I get the following error when I run gpupdate /force: LDAP Bind Function Call Failed with error code 49

Error Code 49 with LDAP is usually related to invalid credentials. See Microsoft documentation around Error Code 49 and LDAP here.

Are there any issues with the computer or user accounts (disabled, etc.)? I'm going to say no because you can log on.
Does it do this for all computers/users in scope of the GPO?
What results do you get for gpupdate /force /target:user?
What results do you get for gpupdate /force /target:computer?
Does the user account have any logon time restrictions?

I'm leaning toward a user account issue or a DNS issue.
0
 
yo_beeDirector of Information TechnologyCommented:
GPUPDATE /FORCE does not have any options other than for /force.

here are all the switches for GPUPDATE:
https://technet.microsoft.com/en-us/library/bb490983.aspx


Gpupdate



Refreshes local and Active Directory-based Group Policy settings, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.

Syntax

gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot]

 Top of page


Parameters

/target: { computer | user }  : Processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.

/force   : Ignores all processing optimizations and reapplies all settings.

/wait: value    : Number of seconds that policy processing waits to finish. The default is 600 seconds. 0 means "no wait"; -1 means "wait indefinitely."

/logoff   : Logs off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.

/boot   : Restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.

/? : Displays help at the command prompt.

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
LearnctxEngineerCommented:
GPUPDATE /FORCE does not have any options other than for /force.

Well, the help text you have pasted says otherwise and it works fine for me. Microsoft's documentation also says otherwise as per the docs site here:

gpupdate [/target:{Computer | User}] [/force] [/wait:<VALUE>] [/logoff] [/boot] [/sync] [/?]

Open in new window


Running /force with the /target switch has the intended outcome, as per the command line parameters, of processing the user settings only.

 cap1.jpg
The event logs show the same outcome too. Or am I misunderstanding what you're saying?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
I am going to test this tomorrow to see if I can enforce just one or the other.

Also after looking at my dcdiag test DNS results I think I am going to run another portqueryui from microsoft and see what ports are open and which ones are closed.

But another in my DNS server is that I have two name servers (NS) which from what I have studied I should only have one. But I am not sure this would be causing my ldap issues.
0
 
yo_beeDirector of Information TechnologyCommented:
Are you pointing all clients to your DC for DNS?

Maybe post an IPCONFIG from one of the client machines.
0
 
LearnctxEngineerCommented:
But another in my DNS server is that I have two name servers (NS) which from what I have studied I should only have one.

You can have many name servers. I currently have ~150 name servers in my primary domain (just all DC's). But what I would say is how many domain controllers do you have? I assume you are using AD integrated DNS. So if you have 3 DC's, you should have the same number of name servers. And your client should be using the DNS servers you have specified in your DHCP configuration. Unless otherwise over-ridden manually. I would be checking all of your DNS settings.

  • DNS servers on your DC's NIC config.
  • DNS servers on your client NIC config.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
But what I would say is how many domain controllers do you have?

We only have one Domain controller.

I assume you are using AD integrated DNS

Yes I'm pretty certain it is a integrated DNS.

To answer you last question yes I have been checking them over and over again. I'm still relatively new for DNS servers and we are a small company so other people in our company don't have much experience either. This AD was not set up by us which makes it more difficult to know what was done and what wasn't.


Are you pointing all clients to your DC for DNS?

Yes they are all supposed to be pointing to this server I do know there are a few they may not be, but the majority is.

Maybe post an IPCONFIG from one of the client machines.

I can post some tom when I am at work.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Testing just the user and computer configuration came up with the same result.
0
 
yo_beeDirector of Information TechnologyCommented:
Can you post their IPCONFIG /ALL?
With one DC you have no replication related issues.
When you install the ADDS role do you recall if you where prompted to setup Integrated DNS?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
When you install the ADDS role do you recall if you where prompted to setup Integrated DNS?

Never installed it. This AD has been installed for about 5 years so I have no idea how it was installed. I will say they have never tried to apply group policy until now.

With the ipconfig /all I'm not really sure how much of that I can show since this is a public forum for security reasons. What is it that you are looking for maybe I can confirm it.
0
 
yo_beeDirector of Information TechnologyCommented:
Ok.
When you run IPCONFIG does the client point to the DC or some other DNS server?
With Group Policy it is a major part of AD and should work without any issues.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
When you run IPCONFIG does the client point to the DC or some other DNS server?
With Group Policy it is a major part of AD and should work without any issues.


It points to the DC.

I've tried to use ldp.exe and it is telling me when I use my own credentials that the binding has failed, too.

On group policy in our test environment off of the live network. Group policy works great, didn't have any issues. It's only when I went to the live domain that I started having problems.
0
 
yo_beeDirector of Information TechnologyCommented:
Your account may not be a Domain Admin.
This seems to be a very strange issue that I personally never have seen.  

You mentioned a test environment.  Is this test environment completely segmented from your production environment?
Is the same machine used to run against your test environment being used for your production one?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Your account may not be a Domain Admin.
This seems to be a very strange issue that I personally never have seen.  

You mentioned a test environment.  Is this test environment completely segmented from your production environment?
Is the same machine used to run against your test environment being used for your production one?

Sorry if I wasn't clear before. Yes our test environment is completely off of our live domain. They have no connections whatsover not even internet connections.

The local machine that I have been using to test has never been on the test environment and has always been in the live domain.

On the domain Admin part are you referring to the AD or the local machine? either way I typically log in as the administrator on both. Bc I have found out that some things will not be applied unless I am the admin.

I hope that makes sense.

And yes I know this is a tough one. I have been studying this issue for several weeks and it really has gotten me stumped. I've read article after article on how to correct this issue and everything these articles has suggested (or blogs or anything really) turns out not to be the answer.

I will say my colleagues have stated that since the inception of this AD they have ALWAYS (caps for emphasis) had connection issues. They can't ever seem to get that resolved fully. I'm wondering if the two are related somehow?
0
 
yo_beeDirector of Information TechnologyCommented:
It sure would seem so.
You mentioned that you have looked at your Event Logs and found the code 49, but are there other errors or warnings that jump out on both the system and application logs?

There may lie the smoking gun.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
You mentioned that you have looked at your Event Logs and found the code 49, but are there other errors or warnings that jump out on both the system and application logs?

There is a code that is right beside the code 49 and it is code 1222, those seem to be co-joined every single time I see that error.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
When I run ldp.exe I get this:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: <empty>
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Also I noticed somewhat new error today on the DNS role:

Issue:
The Active Directory integrated DNS zone _msdcs.Domain.com was not found.

Impact:
DNS queries for the Active Directory integrated zone _msdcs.Domain.com might fail.

Resolution:
Restore the Active Directory integrated DNS zone _msdcs.Domain.com.


How would I resolve this and would it be causing binding errors?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Looking at this https://www.experts-exchange.com/articles/1073/Diagnosing-and-repairing-Events-1030-and-1058.html

I have found another problem but I am not sure how to fix it.

My sysvol folder where the gpo is located is a subfolder of the sysvol.

So if I have this problem what is the best practice to correct this without taking down my live domain?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Found some brand new errors that were popping up today. These are on the client machine:

Name: Group Policy
Event ID: 1055
Error Code: 1355

Name: Schannel
Event ID: 36887
Error Code: 40

Name: Schannel
Event ID: 36888
Error Code: 10
Internal Error Code: 10

This was after I deleted the whole entire GPO and then I recreated the GPO and tried to enforce it.
0
 
yo_beeDirector of Information TechnologyCommented:
how many GPO's in total?

Some tools that you can use to help you narrow it down.
From the client's machine
  • RSOP
  • gpresult /h .\Filename.html

Machine with RSAT (You DC will 100% be able to do this)
  • GPMC > Group Policy Result  > Wizard

GPRESULT.png
I like using GPMC to get detail
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Yes I have already used those.

When I run gpresult /r it shows me that the group policy hasn't been applied on the user settings. Now if there is something else I should focus on the rsop then I'm all ears.

I have ran that wizard and you're right it does give you tons of information. I will admit I am a tad green so with all that information i'm not entirely sure if something is good or something is a little off.

When I am at work tom I will run everything again, but all these I know I have done at least once if not multiple times, lol.
0
 
yo_beeDirector of Information TechnologyCommented:
From what you are saying it sounds like the computers are getting the settings and the users are not.

Do you have any special security set for the users or maybe you have the GPO in a lower OU than the user objects or blocked inheritance is applied.

There are so many possible things to look at.
  • Security Filtering
  • Blocked inheritance
  • Delegation
gpo1.png
GPO2.png
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Sorry I need to retract what I said above, because it doesn't seem like I said it correctly.

Both computer and user settings aren't being applied when I run the gpresult /r (rsop)

When I was thinking of user settings I was thinking of the group policy that we are trying to put in place. That one should be under user settings. The group policy that we are trying to configure is the screen saver lockout via group policy. But every time I try to force it on the client machine I get the LDAP binding error.
0
 
yo_beeDirector of Information TechnologyCommented:
Do you have a screenshot of your GPO (Redact any confidential info)?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Here is what I have, I'm not sure exactly what you are looking for:

Group-policy.PNG
0
 
yo_beeDirector of Information TechnologyCommented:
I was looking for what your security settings and OU hierarchy looks like.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
I was looking for what your security settings and OU hierarchy looks like.

Here is what our Hieracrcy looks like: OU-info.PNG
And here:
OU-info-2.PNG
For security is this what you are looking for?
Screen-saver-Permissions.PNG
0
 
yo_beeDirector of Information TechnologyCommented:
do you users reside in the IT TEST GROUP OU?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
Not all users! But for the purposes of group policies yes.
0
 
yo_beeDirector of Information TechnologyCommented:
Have you run an ldp.exe while connected to the DC?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
yes :

Short answer and very last part:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
      {NtAuthIdentity: User='xxxx'; Pwd=<unavailable>; domain = 'DomainName.com'}
Authenticated as: 'DomainName\User'.

You know what I notice a difference I ran this before and I got a fail to bind. I am not seeing that now. I am going to hunt my records that I have been keeping and see if I can show you a failed one.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
This is the error that I have seen before:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='xxxx'; Pwd=<unavailable>; domain = 'DomainName.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.

I never had it not be that error when I rand ldp.exe.

hmmmmmm.........................
0
 
yo_beeDirector of Information TechnologyCommented:
Found this thread on Microsoft:
https://social.technet.microsoft.com/Forums/ie/en-US/eccd931f-18e8-43f7-b563-3ac7ba84ee55/weird-ldp-issue?forum=winserverDS

Not sure if you tried using the pre-2000 format domain\user to logon?
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
The only thing I have changed today is I deleted a extra NS file in the DNS role. That's the only thing I did. But when I ran a gpupdate /force after that it still failed to apply the group policy.
So it seems like it is binding now. But if it is binding then why is it giving me an error when I run gpupdate /force. Let me investigate a little more.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
I just re-ran gpupdate/ force again and it is not giving me any errors now.

So that extra NS file must of been causing those issues.
0
 
yo_beeDirector of Information TechnologyCommented:
what extra NS?
0
 
yo_beeDirector of Information TechnologyCommented:
There you go.  AD relies heavily on DNS.  

Good find.
0
 
yo_beeDirector of Information TechnologyCommented:
You do not have to award me points.  I did not give you anything that would have made you look at your NS.
0
 
LearnctxEngineerCommented:
I'm not really sure how the points are being distributed here. If the problem was there were extra name servers in your DNS zones, then the answer was given then when told you to validate the number of name servers in your DNS zones here. Instead you've picked answer saying to try ldp.exe? This doesn't lead to a good outcome to someone coming along later looking into a similar issue.
0
 
yo_beeDirector of Information TechnologyCommented:
Still not sure why I am getting any points for this one.
0
 
Phil BIT Helpdesk TechicianAuthor Commented:
It ended up being an extra NS (name server) in the DNS folder/role.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.