0

Here's the situation:

A single Domain Controller existed, Windows 2008 SBS server with 2008 functional level. At some point 3-4 years ago, the whole domain was successfully transferred to a 2016 server (was added as a secondary server and all roles were transferred to it) and the SBS server was demoted and removed. The domain still remains at 2008 functional level though.

About a week ago, several changes occurred in the domain policies. All policies of the old SBS domain were removed and a new policy was created. From that point on, all clients (Win 10) were able to perform a gpupdate and receive the new policies, except one. This one client, on gpupdate produces the following error (in both computer and user parts):

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

In EventLog, an error 1006 with error code 49 (Invalid Credentials) exists. I have tried gpupdate from the specific PC using 2 different domain accounts (1 domain admin & 1 domain user, both local admins though) without any luck. This computer seems to still follow the old policies. It has been removed from the domain and re-added, either with the same name or with a different name but nothing changed. I have also noticed that in the Ethernet card status, it is reported that it is connected to the domain but that domain is "unverified" and the connection is "public".

I have also tried several other things i found in the internet about checking the dns records (if the IP is correct and if the reverse lookup has a record), executing "GPRESULT /H GPReport.html" or enabling netlogon debugging by altering the DBFlags registry value, sadly i couldn't understand what was the problem. After a couple of days searching, i still haven't figured out if the problem is in the server or the client side, or both.

What should be checked and where, in order to better understand the nature of the error and finally solve it?

EDIT1: Today, after starting up the pc, logging in and manually executing gpupdate /force, i noticed that the first time it run, it took quite some time (nearly 5 mins). Subsequent times, it returned the error after 10 secs.

EDIT2: Perhaps i should have also mentioned that this is a devel pc, with several virtual network cards on it (including virtualbox and several vpn software).

FaultyOverflow
  • 56
  • 4
  • Does user authentication work on this computer? Can you log on to it with a non-cached domain user account? – Massimo Apr 22 '21 at 21:06
  • Yes. I have tried with an account that had never logged-in from that pc and it worked fine. It's just gpupdate that's failing... – FaultyOverflow Apr 23 '21 at 08:15

1 Answers1

0

For future reference, i was finally able to resolve this issue. After trying several things for more than 3 days, i discovered the answer hidden in the following thread, in the post of Arena Joe (Aug 25, 2017 at 20:52 UTC).

https://community.spiceworks.com/topic/1721773-group-policy-update-fails-with-event-1006-error-49

The IP of the DC was placed in the hosts file. I can't understand why this might be causing a problem, but i removed it and the computer performed the gpupdate normally!

FaultyOverflow
  • 56
  • 4