We are starting to apply GPO's to our live domain and we are running into some problems that our test domain didn't do.
All local machines are running on Windows 7 pro.
When I enforce Group Policy using gpupdate /force everything runs fine on the DC but when I go to the local machine I get the following error when I run gpupdate /force: LDAP Bind Function Call Failed with error code 49
So I did some research on this error come to find out Microsoft says that this is a profile issue. So I proceed to investigate. I found a tool from sysinternals to check to see if I had any corrupted profiles:
Using PSTools I ran this from an elevated cmd prompt:
PsExec.exe -i -s cmd.exe
rundll32.exe keymgr.dll, KRShowKeyMgr
No corrupted profiles as I suspected as this is a brand new install on a local machine.
Next I checked to see if I had the Authenicated Users in the Delegation tab and yep I do.
Next I tried to do a restart of the Netlogon service. That still didn't work. I tried restarting the server too and that didn't work.
I have tested my secure channels following this article:
I checked the services for the netlogon and those are set to default local system account on the server. (Automatically starting)
The only forwarder that we have is 184.108.40.206.
No External DNS servers.
We only have one DNS server.
Kerberos policy is set to 5 minutes.
I have ran a klist tickets cmd and I only have one ticket come back and it was mine. Guid._msdcs.DomanName.com could not be resolved to an ip address.
I have ran DCDiag /test:DNS and it came back with an error:
Summary of DNS test result:
Auth=Pass, Basc = Fail, Forw=Pass, Del=Pass, Dyn=Warn,RReg=Fail, Ext= n/a
I also ran dcdiag /test:registerindns /dnsdomain:DomainName.com
result: DNS configuration is sufficient to allow this domain controllerto dynamically register the domain controller Locator records in DNS
DcDiag cannot reach a conclusive result because it cannot interpret the following message that was returned: 9003
I also ran nltest /dsregdns and I am still having DNS issues.
I have deleted the CNAME record in the DNS folder for the DC and I have re-added it to the DNS folder and still no differing results.
Following this article here:
The firewall is on the outside of the network protecting the computer inside the domain. So there is no DC between the firewall that I am aware of.
We did correct a time issue where the server was getting the time from the local server. We changed that to be an external source from the pool ip addresses and now all local machines are running on the correct time.
I've even checked with wireshark and I do see errors but I'm not sure this is the source of my problem.
So I decided to do some more researching and I found out that it could possibly be a DNS error. So I thought I would try to leave the domain and re-add, that didn't work. I even looked to see if I had any additional host files that I shouldn't have. Nope nada.
I honestly don' t know what to do next.
I did find out that we had some subcontractors in our domain controller and it appears that they may have messed some things up for instance we were not getting any reverse lookups at all and now that is corrected there are two NS server file names in which are still there but I don't think we need two.
I will say that when I was looking through event logs I saw the error code 1222 right beside the error code 49 and I am wondering if the two are related or not? Although this computer hasn't ever been off of our domain so I am not sure how it would get the 1222 error code.
This has even happened on a brand new install computer too.
Has anyone else ran into this issue?
I have done lots of research and there does seem to be alot of LDAP binding issues among other users, but those seemed to get fixed relatively easily. So I'm not sure what else to do.
I'm open to suggestions and ideas.
I am thinking that this is a DNS issue. But for some reason I still can't seem to get this resolved. I'm not seeing anything out of the ordinary in the DNS role on the server.