| Author | Messages | |
AndrewMcHale
Posts:0
 | | 04/16/2010 3:22 PM |
| Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from
my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had
to set the DNS to our internal DNS servers at the office, and I added
all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a
local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User
Policy update has completed successfully' but it fails the computer
policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not
authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran
through absolutely fine.
When I look in the Group Policy operational log on the machine there is
a 7017 error - The LDAP call to connect and bind the Active Directory
completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security
System could not establish a secured connection with the server
ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was
available.
I've read a bit about problems with the system error but it all seems to
be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in
question so I know there is no network reason why it can't authenticate
to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I
should try?
Thanks
Andrew
| | | |
| DarraghOShaughnessy
Posts:161
| | 04/16/2010 3:49 PM |
| Run nltest and netdiag to test the connection. Make sure DNS forward AND
Reverse lookup is working!!
Are you 100% sure that there was no computer account in the directory
before you joined it to the domain? Has it been moved form the computers
container?
Turn on netloggon debug logging and userenv debug logging and check the
logs
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
<http://www.ecofont.eu/ecofont_en.html>
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 16 April 2010 15:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from
my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had
to set the DNS to our internal DNS servers at the office, and I added
all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a
local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User
Policy update has completed successfully' but it fails the computer
policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not
authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran
through absolutely fine.
When I look in the Group Policy operational log on the machine there is
a 7017 error - The LDAP call to connect and bind the Active Directory
completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security
System could not establish a secured connection with the server
ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was
available.
I've read a bit about problems with the system error but it all seems to
be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in
question so I know there is no network reason why it can't authenticate
to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I
should try?
Thanks
Andrew
| | | |
| dmarelia
Posts:394
| | 04/16/2010 4:57 PM |
| Yea, it definitely sounds like you don't have a good secure channel connection from the machine to its DC. Nltest /sc_verify should show this.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Friday, April 16, 2010 7:42 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Run nltest and netdiag to test the connection. Make sure DNS forward AND Reverse lookup is working!!
Are you 100% sure that there was no computer account in the directory before you joined it to the domain? Has it been moved form the computers container?
Turn on netloggon debug logging and userenv debug logging and check the logs
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 16 April 2010 15:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx<mailto:ldap/servername/xxxxxxxxxxxxxxxx>. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| AndrewMcHale
Posts:0
| | 04/16/2010 5:57 PM |
| Hi Darragh & Darren,
Thanks for the quick replies.
Further info:
* There may have been another machine on the network in the past
with the same name as this one, but it will have been years ago and
wasn't there anymore (that I could see in ADUC)
* I have moved the computer object out of the Computers
container and into a designated OU for department machines
* Netdiag does not seem to work on Windows 7
(I_NetNameCanonicalize error)
* RDNS appears to be working as 'ping -a <ip>' returns the
correct server name, but just the server name not the FQDN if this makes
a difference?
* 'nltest /sc_verify:domain.com' completes successfully
* 'nltest /dcname:domain.com' fails with NERR_DCNotFound
* 'nltest /dclist:domain.com' correctly lists both my DCs and
identifies one of them as the PDC so I don't know why the previous
command didn't work.
* The DC the machine is trying to authenticate against is not
the PDC
This stuff is over my head so forgive stupid questions.
Would it be worth trying to get the machine to use the PDC to
authenticate to instead of the DC its using at the moment?
Isn't userenv logging enabled by default on Vista/7 and accessed via the
Group Policy perational log in event viewer?
I've enabled netlogon debugging and had a quick look at the log but it
means very little to me. What should I be looking for?
Thanks for the continued support.
Andrew
From: Darragh O'Shaughnessy [mailto xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 15:42
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Run nltest and netdiag to test the connection. Make sure DNS forward AND
Reverse lookup is working!!
Are you 100% sure that there was no computer account in the directory
before you joined it to the domain? Has it been moved form the computers
container?
Turn on netloggon debug logging and userenv debug logging and check the
logs
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 16 April 2010 15:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from
my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had
to set the DNS to our internal DNS servers at the office, and I added
all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a
local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User
Policy update has completed successfully' but it fails the computer
policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not
authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran
through absolutely fine.
When I look in the Group Policy operational log on the machine there is
a 7017 error - The LDAP call to connect and bind the Active Directory
completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security
System could not establish a secured connection with the server
ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was
available.
I've read a bit about problems with the system error but it all seems to
be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in
question so I know there is no network reason why it can't authenticate
to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I
should try?
Thanks
Andrew
| | | |
| DarraghOShaughnessy
Posts:161
| | 04/16/2010 8:09 PM |
| Use nslookup with fqdn's to fully test dns forward and reverse. WINS
forwarding may be enabled on the DNS servers.
Also, make sure you joined the computer to the domain using the fqdn of
the domain, not the down level domain name. If you used the down level
domain name, it could easily have been joined to a dc outside your site
and replication intervals may mean your local dc has not got the
computer object yet.
Silly question, but you did reboot after joining the domain yes?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
<http://www.ecofont.eu/ecofont_en.html>
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 16 April 2010 17:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Darragh & Darren,
Thanks for the quick replies.
Further info:
* There may have been another machine on the network in the past
with the same name as this one, but it will have been years ago and
wasn't there anymore (that I could see in ADUC)
* I have moved the computer object out of the Computers
container and into a designated OU for department machines
* Netdiag does not seem to work on Windows 7
(I_NetNameCanonicalize error)
* RDNS appears to be working as 'ping -a <ip>' returns the
correct server name, but just the server name not the FQDN if this makes
a difference?
* 'nltest /sc_verify:domain.com' completes successfully
* 'nltest /dcname:domain.com' fails with NERR_DCNotFound
* 'nltest /dclist:domain.com' correctly lists both my DCs and
identifies one of them as the PDC so I don't know why the previous
command didn't work.
* The DC the machine is trying to authenticate against is not
the PDC
This stuff is over my head so forgive stupid questions.
Would it be worth trying to get the machine to use the PDC to
authenticate to instead of the DC its using at the moment?
Isn't userenv logging enabled by default on Vista/7 and accessed via the
Group Policyperational log in event viewer?
I've enabled netlogon debugging and had a quick look at the log but it
means very little to me. What should I be looking for?
Thanks for the continued support.
Andrew
From: Darragh O'Shaughnessy [mailtoxxxxxxxxxxxxxxxx]
Sent: 16 April 2010 15:42
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Run nltest and netdiag to test the connection. Make sure DNS forward AND
Reverse lookup is working!!
Are you 100% sure that there was no computer account in the directory
before you joined it to the domain? Has it been moved form the computers
container?
Turn on netloggon debug logging and userenv debug logging and check the
logs
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 16 April 2010 15:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from
my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had
to set the DNS to our internal DNS servers at the office, and I added
all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a
local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User
Policy update has completed successfully' but it fails the computer
policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not
authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran
through absolutely fine.
When I look in the Group Policy operational log on the machine there is
a 7017 error - The LDAP call to connect and bind the Active Directory
completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security
System could not establish a secured connection with the server
ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was
available.
I've read a bit about problems with the system error but it all seems to
be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in
question so I know there is no network reason why it can't authenticate
to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I
should try?
Thanks
Andrew
| | | |
| gabro.net
Posts:13
| | 04/16/2010 11:31 PM |
| Security channel broken, machine local password and machine AD password are
out of sync. Ive seen that happening more than once over VPN. The only
solution I know is to rejoin the PC to the domain to force a password
resync. Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
Im trying to setup a new Win7 machine on our network. Im doing it from my
home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to
set the DNS to our internal DNS servers at the office, and I added all our
servers (only 6) to the hosts file for belt and braces.
Im logged onto the laptop as a user from the domain who Ive made a local
machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says User Policy
update has completed successfully but it fails the computer policy update.
It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not
authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through
absolutely fine.
When I look in the Group Policy operational log on the machine there is a
7017 error The LDAP call to connect and bind the Active Directory
completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 The Security System
could not establish a secured connection with the server
ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was
available.
Ive read a bit about problems with the system error but it all seems to be
relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in
question so I know there is no network reason why it cant authenticate to
it.
Anyony got any suggestions to get this resolved or any diagnosis tips I
should try?
Thanks
Andrew
| | | |
| AndrewMcHale
Posts:0
| | 04/19/2010 1:57 PM |
| Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| hstraat
Posts:11
| | 04/19/2010 3:23 PM |
|
when you rebuild a machine (install from scratch) it wil get a different machine sid and not linked to the excisiting ad account as long as you give it another name. might you try change sid from sysinternals dunno if it is out for windows 7 yet. That also changes the machin sid entirely.
regards,
Hans
Subject: RE: [gptalk] LDAP Bind function call failed
Date: Mon, 19 Apr 2010 13:29:59 +0100
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that “shouldn’t” have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I’ve seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. – Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I’m trying to setup a new Win7 machine on our network. I’m doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for ‘belt and braces’.
I’m logged onto the laptop as a user from the domain who I’ve made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says ‘User Policy update has completed successfully’ but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error – The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 – The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I’ve read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can’t authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| AndrewMcHale
Posts:0
| | 04/19/2010 4:49 PM |
| Hi Hans,
Thanks for the information.
I attempted a SysPrep but kept getting a fatal error. After some searching I found that SysPrep can fail on Windows 7 if a Windows Media Player process is running so I killed this and it started working. However, it failed again much later in the process although I think it had done the majority of the work.
I decided that all this messing around wasn't worth it, mainly for the underlying issues it might leave hanging around. This is a brand new laptop with nothing on it so I decided to restore the pre-shipped image and start again. Its currently doing that and then I will rejoin it to the network under a different name without using a VPN.
I'll assume that's fixed my problem but be straight back here if it doesn't.
Thanks to all for the help on what turned out to be OT (off topic).
Andrew
From: hans straat [mailto:xxxxxxxxxxxxxxxx]
Sent: 19 April 2010 15:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
when you rebuild a machine (install from scratch) it wil get a different machine sid and not linked to the excisiting ad account as long as you give it another name. might you try change sid from sysinternals dunno if it is out for windows 7 yet. That also changes the machin sid entirely.
regards,
Hans
________________________________
Subject: RE: [gptalk] LDAP Bind function call failed
Date: Mon, 19 Apr 2010 13:29:59 +0100
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| DarraghOShaughnessy
Posts:161
| | 04/19/2010 4:49 PM |
| An image shipped form an OEM?? IS the image activated?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx <mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html <http://www.ecofont.eu/ecofont_en.html>
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 19 April 2010 16:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Hans,
Thanks for the information.
I attempted a SysPrep but kept getting a fatal error. After some searching I found that SysPrep can fail on Windows 7 if a Windows Media Player process is running so I killed this and it started working. However, it failed again much later in the process although I think it had done the majority of the work.
I decided that all this messing around wasn't worth it, mainly for the underlying issues it might leave hanging around. This is a brand new laptop with nothing on it so I decided to restore the pre-shipped image and start again. Its currently doing that and then I will rejoin it to the network under a different name without using a VPN.
I'll assume that's fixed my problem but be straight back here if it doesn't.
Thanks to all for the help on what turned out to be OT (off topic).
Andrew
From: hans straat [mailto:xxxxxxxxxxxxxxxx]
Sent: 19 April 2010 15:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
when you rebuild a machine (install from scratch) it wil get a different machine sid and not linked to the excisiting ad account as long as you give it another name. might you try change sid from sysinternals dunno if it is out for windows 7 yet. That also changes the machin sid entirely.
regards,
Hans
________________________________
Subject: RE: [gptalk] LDAP Bind function call failed
Date: Mon, 19 Apr 2010 13:29:59 +0100
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| AndrewMcHale
Posts:0
| | 04/19/2010 6:01 PM |
| Hi Darragh,
Excuse my lack of terminology but if by OEM you mean an HP laptop bought from a high street retailer in a retail box with Windows 7 preinstalled on it then yes.
Yes, Windows has activated on it if, again, you mean the process of the laptop automatically going off to the MS servers and verifying that the OS installed is genuine. The rebuild has now completed and the laptop has successfully activated a second time. I shall save re-adding it to the domain until tomorrow morning now.
Does the above change or affect your diagnosis of why the problem occurred or how it could have been fixed? As mentioned previously, I had successfully done the same procedure with another OEM laptop, this time a Dell, just a week earlier.
Thanks for your help and suggestions, it largely helped me diagnosis the secure channel corruption.
Andrew
Andrew McHale
Technical Consultant
Synergix
Auto-ID - Mobile Computing - Data Collection - Distribution
<http://www.synergix.co.uk/printracesahead>
*** Please note our new sales number below and update your records ***
Unit B1, Waterside Park, Cookham Road, Bracknell, Berkshire, RG12 1RB
Sales: 0844 875 8292 or +44 (0) 1344 312 770
Customer Services: +44 (0) 1344 312 795
Accounts: +44 (0) 1379 646 893
Support: +44 (0) 1344 312 777
Fax: +44 (0) 1344 409 227
www.synergix.co.uk <http://www.synergix.co.uk/>
For great deals on surplus stock visit Barcode-Bargains.co.uk <http://www.barcode-bargains.co.uk/>
A division of Midwich Ltd. Registered in England, no. 01436289. Registered office - Gilray Road, Diss, Norfolk, IP22 4YT. VAT no. 765331722.
To view Synergix's email disclaimer please click here <http://www.synergix.co.uk/emaildisclaimer.php> or go to http://www.synergix.co.uk/emaildisclaimer.php <http://www.synergix.co.uk/emaildisclaimer.php> .
From: Darragh O'Shaughnessy [mailtoxxxxxxxxxxxxxxxx]
Sent: 19 April 2010 16:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
An image shipped form an OEM?? IS the image activated?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 19 April 2010 16:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Hans,
Thanks for the information.
I attempted a SysPrep but kept getting a fatal error. After some searching I found that SysPrep can fail on Windows 7 if a Windows Media Player process is running so I killed this and it started working. However, it failed again much later in the process although I think it had done the majority of the work.
I decided that all this messing around wasn't worth it, mainly for the underlying issues it might leave hanging around. This is a brand new laptop with nothing on it so I decided to restore the pre-shipped image and start again. Its currently doing that and then I will rejoin it to the network under a different name without using a VPN.
I'll assume that's fixed my problem but be straight back here if it doesn't.
Thanks to all for the help on what turned out to be OT (off topic).
Andrew
From: hans straat [mailto:xxxxxxxxxxxxxxxx]
Sent: 19 April 2010 15:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
when you rebuild a machine (install from scratch) it wil get a different machine sid and not linked to the excisiting ad account as long as you give it another name. might you try change sid from sysinternals dunno if it is out for windows 7 yet. That also changes the machin sid entirely.
regards,
Hans
________________________________
Subject: RE: [gptalk] LDAP Bind function call failed
Date: Mon, 19 Apr 2010 13:29:59 +0100
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| DarraghOShaughnessy
Posts:161
| | 04/19/2010 9:46 PM |
| Just wondering because if its an OEM image then you can be fairly sure that it was sysprep'd properly as they do thousands of them 
It's a strange one this. What exact version of windows 7 is it?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx <mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html <http://www.ecofont.eu/ecofont_en.html>
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 19 April 2010 17:55
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Darragh,
Excuse my lack of terminology but if by OEM you mean an HP laptop bought from a high street retailer in a retail box with Windows 7 preinstalled on it then yes.
Yes, Windows has activated on it if, again, you mean the process of the laptop automatically going off to the MS servers and verifying that the OS installed is genuine. The rebuild has now completed and the laptop has successfully activated a second time. I shall save re-adding it to the domain until tomorrow morning now.
Does the above change or affect your diagnosis of why the problem occurred or how it could have been fixed? As mentioned previously, I had successfully done the same procedure with another OEM laptop, this time a Dell, just a week earlier.
Thanks for your help and suggestions, it largely helped me diagnosis the secure channel corruption.
Andrew
Andrew McHale
Technical Consultant
Synergix
Auto-ID - Mobile Computing - Data Collection - Distribution
<http://www.synergix.co.uk/printracesahead>
*** Please note our new sales number below and update your records ***
Unit B1, Waterside Park, Cookham Road, Bracknell, Berkshire, RG12 1RB
Sales: 0844 875 8292 or +44 (0) 1344 312 770
Customer Services: +44 (0) 1344 312 795
Accounts: +44 (0) 1379 646 893
Support: +44 (0) 1344 312 777
Fax: +44 (0) 1344 409 227
www.synergix.co.uk <http://www.synergix.co.uk/>
For great deals on surplus stock visit Barcode-Bargains.co.uk <http://www.barcode-bargains.co.uk/>
A division of Midwich Ltd. Registered in England, no. 01436289. Registered office - Gilray Road, Diss, Norfolk, IP22 4YT. VAT no. 765331722.
To view Synergix's email disclaimer please click here <http://www.synergix.co.uk/emaildisclaimer.php> or go to http://www.synergix.co.uk/emaildisclaimer.php <http://www.synergix.co.uk/emaildisclaimer.php> .
From: Darragh O'Shaughnessy [mailtoxxxxxxxxxxxxxxxx]
Sent: 19 April 2010 16:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
An image shipped form an OEM?? IS the image activated?
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: 19 April 2010 16:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Hans,
Thanks for the information.
I attempted a SysPrep but kept getting a fatal error. After some searching I found that SysPrep can fail on Windows 7 if a Windows Media Player process is running so I killed this and it started working. However, it failed again much later in the process although I think it had done the majority of the work.
I decided that all this messing around wasn't worth it, mainly for the underlying issues it might leave hanging around. This is a brand new laptop with nothing on it so I decided to restore the pre-shipped image and start again. Its currently doing that and then I will rejoin it to the network under a different name without using a VPN.
I'll assume that's fixed my problem but be straight back here if it doesn't.
Thanks to all for the help on what turned out to be OT (off topic).
Andrew
From: hans straat [mailto:xxxxxxxxxxxxxxxx]
Sent: 19 April 2010 15:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
when you rebuild a machine (install from scratch) it wil get a different machine sid and not linked to the excisiting ad account as long as you give it another name. might you try change sid from sysinternals dunno if it is out for windows 7 yet. That also changes the machin sid entirely.
regards,
Hans
________________________________
Subject: RE: [gptalk] LDAP Bind function call failed
Date: Mon, 19 Apr 2010 13:29:59 +0100
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| gabro.net
Posts:13
| | 04/20/2010 12:22 AM |
| DCs will log clients with broken security channel attempting to authenticate
against AD, you may look at DC event log (I dont recall precisely, but it
should be under the system node). Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: lunedì 19 aprile 2010 2:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including
deleting the account in AD between disjoining and rejoining, but this did
not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where
it is now).
Still gpupdate /force would not work for the computer settings, even though
the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have
tried all four methods of resetting the secure channel, except I had to swap
netdom for the powershell command Reset-ComputerMachinePassword as this is a
Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different
machine name and then connect it to the domain onsite (not over VPN) will
this create a different completely unrelated computer account that
shouldnt have this problem? Or will the hardware ID of the machine be the
same and therefore somehow tie this laptop to this corrupted computer
account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are
out of sync. Ive seen that happening more than once over VPN. The only
solution I know is to rejoin the PC to the domain to force a password
resync. Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
Im trying to setup a new Win7 machine on our network. Im doing it from my
home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to
set the DNS to our internal DNS servers at the office, and I added all our
servers (only 6) to the hosts file for belt and braces.
Im logged onto the laptop as a user from the domain who Ive made a local
machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says User Policy
update has completed successfully but it fails the computer policy update.
It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not
authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through
absolutely fine.
When I look in the Group Policy operational log on the machine there is a
7017 error The LDAP call to connect and bind the Active Directory
completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 The Security System
could not establish a secured connection with the server
ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was
available.
Ive read a bit about problems with the system error but it all seems to be
relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in
question so I know there is no network reason why it cant authenticate to
it.
Anyony got any suggestions to get this resolved or any diagnosis tips I
should try?
Thanks
Andrew
| | | |
| AndrewMcHale
Posts:0
| | 08/06/2010 4:15 PM |
| Hi all,
I just wanted to follow up on this question I posted back in April.
To remind you, I was getting the error "LDAP Bind function call failed" when updating GP on a newly deployed Win 7 Pro laptop, but only for the Computer configuration part, user policy updated fine.
The list thought the problem was to do with an out of sync secure channel password. I originally resolved the problem by reinstalling the brand new Win 7 laptop that it occurred on, having tried every documented way to reset the secure channel password.
Yesterday I had the same problem suddenly appear on my own Win 7 Ultimate workstation, having made no changes other than adding a new network printer to a GPO.
After some searching someone said they had tracked the problem down to being DNS related and resolved the problem by taking entries out of the local hosts file. I did this (after having tried to reset the secure channel again) and it worked instantly. So it looks like there might be some issue with Win 7 and the hosts file.
Hope this helps someone else one day.
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 19 April 2010 23:50
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
DCs will log clients with broken security channel attempting to authenticate against AD, you may look at DC event log (I don't recall precisely, but it should be under the "system" node). - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: lunedì 19 aprile 2010 2:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
| dmarelia
Posts:394
| | 08/06/2010 4:17 PM |
| Thanks for that Andrew. Good info. What were you using the local Hosts file for? Or was it just the default entries in there?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: Wednesday, June 30, 2010 1:57 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi all,
I just wanted to follow up on this question I posted back in April.
To remind you, I was getting the error "LDAP Bind function call failed" when updating GP on a newly deployed Win 7 Pro laptop, but only for the Computer configuration part, user policy updated fine.
The list thought the problem was to do with an out of sync secure channel password. I originally resolved the problem by reinstalling the brand new Win 7 laptop that it occurred on, having tried every documented way to reset the secure channel password.
Yesterday I had the same problem suddenly appear on my own Win 7 Ultimate workstation, having made no changes other than adding a new network printer to a GPO.
After some searching someone said they had tracked the problem down to being DNS related and resolved the problem by taking entries out of the local hosts file. I did this (after having tried to reset the secure channel again) and it worked instantly. So it looks like there might be some issue with Win 7 and the hosts file.
Hope this helps someone else one day.
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 19 April 2010 23:50
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
DCs will log clients with broken security channel attempting to authenticate against AD, you may look at DC event log (I don't recall precisely, but it should be under the "system" node). - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: lunedì 19 aprile 2010 2:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Hi Guys,
Thanks for the advice, this seems to be a right mess!
I tried to rejoin the machine to the domain a couple of times, including deleting the account in AD between disjoining and rejoining, but this did not solve the problem.
So I gave up trying to do this remotely and took the machine to site (where it is now).
Still gpupdate /force would not work for the computer settings, even though the user settings applied fine.
It does appear that the secure channel is desynchronised.
Having read this article (http://support.microsoft.com/kb/216393/) I have tried all four methods of resetting the secure channel, except I had to swap netdom for the powershell command Reset-ComputerMachinePassword as this is a Windows 7 machine. None of these worked with various access denied errors.
So my simple question is: If I rebuild this machine, give it a different machine name and then connect it to the domain onsite (not over VPN) will this create a different completely unrelated computer account that "shouldn't" have this problem? Or will the hardware ID of the machine be the same and therefore somehow tie this laptop to this corrupted computer account?
Thanks guys
Andrew
From: Gabriele Scolaro [mailto:xxxxxxxxxxxxxxxx]
Sent: 16 April 2010 23:13
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] LDAP Bind function call failed
Security channel broken, machine local password and machine AD password are out of sync. I've seen that happening more than once over VPN. The only solution I know is to rejoin the PC to the domain to force a password resync. - Gabriele.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: venerdì 16 aprile 2010 4:21
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] LDAP Bind function call failed
Hi all,
Sorry to bother you on a Friday.
I'm trying to setup a new Win7 machine on our network. I'm doing it from my home office over an SSL VPN.
I managed to get the machine joined to the domain fine, although I had to set the DNS to our internal DNS servers at the office, and I added all our servers (only 6) to the hosts file for 'belt and braces'.
I'm logged onto the laptop as a user from the domain who I've made a local machine admin for the time being for simplicity.
When I run gpupdate (from an elevated command prompt) it says 'User Policy update has completed successfully' but it fails the computer policy update. It says it could not authenticate to a domain controller.
How can it update User Policy but fail on Computer Policy due to not authenticating to a DC?
I setup another machine in exactly the same way last week and GP ran through absolutely fine.
When I look in the Group Policy operational log on the machine there is a 7017 error - The LDAP call to connect and bind the Active Directory completed. The call failed after 359 milliseconds.
There is also a related error in the System log: 40961 - The Security System could not establish a secured connection with the server ldap/servername/xxxxxxxxxxxxxxxx<mailto:ldap/servername/xxxxxxxxxxxxxxxx>. No authentication protocol was available.
I've read a bit about problems with the system error but it all seems to be relating to a hotfix for Win2003.
I can ping and RDP to the DC it is trying to use from the machine in question so I know there is no network reason why it can't authenticate to it.
Anyony got any suggestions to get this resolved or any diagnosis tips I should try?
Thanks
Andrew
| | | |
|
|