Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1006 Source: Microsoft-Windows-GroupPolicy

Level
Description
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).
Comments
 
We received this error (recorded 15 times per day) on a Windows 7 workstation that had the admin account logged in. Trying the GPUpdate.exe /force command would fail.

Using the GPRESULT /H GPReport.html, command we noticed that the error was caused by a failure to authenticate. After further investigation, we discovered that the password for the admin account was recently changed, so the local system was trying to access the group policy using expired credentials. After a the account was logged out and logged back in, the forced update of the group policy worked fine and the error stopped.
On a Windows 7 Workstation this issue was caused by corrupted cached credentials for the domain controller in the Credentials Manager. Deleting the cached credentials in Control Panel->Credential Manager for the server and the domain user account, followed by a reboot resolved the issue.
Error code 82 - In my case we had a disconnected but logged on session from a contractor account that has also since expired according to expiry settings. When the regular Policy refresh cycle tries to apply policy it fails due to the account being invalid/expired. Fixed by logging off the expired account.
In our case, the server did not have the WINs servers IP-Addresses added in the IP settings. Once we added them the server was able to connect to the domain controllers to access the group policy.
On a newly promoted Windows 2008 R2 in a 2003 forest, it happen because the computer object was not in the domain controller OU, neither have the right firewall policy for 2008 DC and di nor have the right UserAccountControl attribute set. To fix it:
- move the object in the right OU
- update the UserAccountControl to 532480
- set the IP first of the first dns server to the PDC emulator or a healthy DNS in the domain
- reboot
- force the sync using Syncall after 30 minutes. Run DCdiag & repadmin /showconn and /showrepl to ensure that previous issues are gone.

Wait a couple of hours (in my case I waited 6 hours). In the event log GroupPolicy, the event 7017/GroupPolicy The LDAP call to connect and bind to Active Directory completed. HOSTNAME-FQDN. The call failed after 0 milliseconds. Become event 5017/GroupPolicy The system call to get account information completed. HOST-DN The call completed in 0 milliseconds.


The Data portion of the event contains an error code and an error description that might offer some additional details about this problem.
Error code 81,   Server Down - This was reported as being recorded on a multi-homed server where the TCP/IP stack configured for the second network card was pointing to itself as DNS server instead of the IP address for the first network card.

In my case, I had this on a SBS 2008. The ME939820 article applies if you have other errors as well. T727283 describes an instance of this error but the error that I'm getting (code 82) isn't documented in this article.

I think I've fixed my issue by editing hosts file - it had an entry for the server in there. Had a look at another SBS2008 server and it didn't have this entry in hosts file. Deleted so only localhost remains looks like error has gone away will see!
As per Microsoft: "This problem occurs because the version number of the KRBTGT account increases when you perform an authoritative restoration. The KRBTGT account is a service account that is used by the Kerberos Key Distribution Center (KDC) service". See ME939820 for a hotfix applicable to Microsoft Windows Server 2003.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...