Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, October 26, 2016 8:49 PM
Hello,
One computer on my domain won't update group policy. Running gpupdate /force results in:
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
The Event Viewer Details tab shows Event 1006, Error Code 49 (Invalid Credentials). The same credentials work fine on other workstations, including GP updates. Logging on with different credentials to the problematic workstation results in the same errors. For the computer policy, the error is Event 1055 with ErrorCode 5 (Access Denied).
Strangely, Event viewer has another event with every Group Policy failed event, which says that Group Policy was processed correctly. Running gpresult returns:
INFO: The user "CONTOSO\user" does not have RSoP data.
I tried running the GP Results Wizard, but I got "No Mapping between account names and security IDs was done."
There is are additional LSA errors in the Event Viewer which might be relevant. Event ID 40961, the message is "The Security System could not establish a secured connection with the server ldap/Server.CONTOSO.LOCAL/[email protected]. No authentication protocol was available." and "The Security System could not establish a secured connection with the server LDAP/Server.CONTOSO.LOCAL/[email protected]. No authentication protocol was available."
This issue is on only one workstation. nslookup resolves the DC and _ldap entries correctly.
One more thing I noticed, possibly related. running ipconfig /displaydns shows gibberish entries, with the answer "Name does not exist". I looked for rogue processes or HOSTS entries, but found nothing.
All replies (10)
Thursday, October 27, 2016 1:04 AM
To clean this up, I would remove, then re-add this problematic workstation to the domain. It's likely the secure channel to the domain is broken and a remove/re-add will fix that. This kind of problem can happen when workstations are turned off for a really long time (> 30 days).
Best Regards, Todd Heron | Active Directory Consultant
Thursday, October 27, 2016 2:19 PM
I tried that twice. The workstation wasn't off for a long time, either.
I will add that this workstation was upgraded to windows 10.
Friday, October 28, 2016 7:37 AM
Hi Davd Davd,
"I will add that this workstation was upgraded to windows 10."
Is this machine upgraded from a "Home" version?
Please take the following steps to troubleshoot this issue.
1.Open an administrator command line and run "sfc /scannow" or "dism /online /cleanup-image /restorehealth" to check the health of system files.
2.Try to clear the dns cache "ipconfig /flushdns".
3.Configure the DC dns as the DNS server.
4.I noticed there is a "Access denied" issue. We could refer to the following link to troubleshoot it with process monitor.
Using Process Monitor to solve any problem, including DebugDiag
https://blogs.msdn.microsoft.com/benjaminperkins/2013/05/03/using-process-monitor-to-solve-any-problem-including-debugdiag/
Best regards
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, November 2, 2016 3:57 PM
Hi Davd Davd,
"I will add that this workstation was upgraded to windows 10."
Is this machine upgraded from a "Home" version?Please take the following steps to troubleshoot this issue.
1.Open an administrator command line and run "sfc /scannow" or "dism /online /cleanup-image /restorehealth" to check the health of system files.
2.Try to clear the dns cache "ipconfig /flushdns".
3.Configure the DC dns as the DNS server.
4.I noticed there is a "Access denied" issue. We could refer to the following link to troubleshoot it with process monitor.
This machine was upgraded from Home, around a year ago. It was updated to Windows 10 a few months ago.
I tried your first 2 suggestions earlier.
The DC is the DNS server.
I tried Procmon, but all I see is lots of retries by lsass. What should I be looking for?
Thank you for your help.
Thursday, November 3, 2016 9:03 AM
Hi Davd Davd,
"I tried Procmon, but all I see is lots of retries by lsass. What should I be looking for?"
Refer to the link as I posted to list the "Access denied" error and check the permissions. Turn off the firewall and the antivirus software temporarily.
"This machine was upgraded from Home"
There are many users reported that the machines upgraded from Home version won`t work well with the domain and it should be fixed by the recent update. The previous solution is to perform an in-place upgrade repair.
Best regards
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, November 3, 2016 4:33 PM
"I tried Procmon, but all I see is lots of retries by lsass. What should I be looking for?"
Refer to the link as I posted to list the "Access denied" error and check the permissions. Turn off the firewall and the antivirus software temporarily.
"This machine was upgraded from Home"
There are many users reported that the machines upgraded from Home version won`t work well with the domain and it should be fixed by the recent update. The previous solution is to perform an in-place upgrade repair.
The link you posted refers to "Access Denied" errors for file access. There are no Access Denied errors in my Procmon log, since Group Policy is not processed locally. Besides, gpupdate always runs as a privileged user, AFAIK.
This machine is fully updated.
I'm not sure, but I think the issues started after the Anniversary update was installed.
Wednesday, November 9, 2016 6:23 AM
Hi Davd Davd,
How about the issue, is there anything to update?
Is it available to access the "sysvol" folder on the DC both with the IP address and the FQDN? Have you tried to perform an in-place upgrade repair?
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 9, 2016 10:05 PM
I can access the SYSVOL folder just fine at \server\sysvol, but using \ipaddress\sysvol, I get a credentials window where no credentials are accepted.
That's the same result which I get on other workstations on the domain, where Group Policy is applied with no issue.
I tried to perform a "Reset", but the only option I got was for erasing all installed apps and keeping only the files. That's basically equivalent to a clean re-install, which I was trying to avoid.
Monday, November 14, 2016 8:43 AM
Hi Davd Davd,
An in-place upgrade(boot from a Windows 10 installation media and choose "upgrade" install) won`t affect your programs and files. Please make an image backup in case of any unexpected data loss.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, November 15, 2016 7:51 PM
An in-place upgrade(boot from a Windows 10 installation media and choose "upgrade" install) won`t affect your programs and files. Please make an image backup in case of any unexpected data loss.
Hi,
I tried the in-place upgrade. No difference.