Group Policy Failing

[Dan~]

Got an odd one here, we have some machines at a certain site which is unable to get group policy, upon forcing it we get

Quote

User policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).
Look in the details tab for error code and description.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).
Look in the details tab for error code and description.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

When I check the event log I get event ID 1006 and error code 82.

 

Any ideas? it looks like I've clicked every website in the world about it but none of it seems relevant.

 

Server 2012 R2 DC

 

Thanks

 

[techbeck]

Normally when I see this, a quick removal/rejoining to the domain fixes it.

[Dan~]

We have tried that but same results

 

DC1 is in UK and works fine

DC2 is not in UK and is having the same issues

 

I've done a repadmin on both dc's is all successful, if I do just a dcdiag on dc2 I get the following errors

Quote

      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000272C
            Time Generated: 09/07/2017   12:21:40
            Event String:
            DCOM was unable to communicate with the computer IPHIDDEN using
 any of the configured protocols; requested by PID     31e4 (C:\Windows\system32\dcdiag.exe).

not sure if that matters too much?

Edited September 7, 2017 by Dan~
mistake

[sc302 Veteran]

You are having D.C. Replication failures. Please look at your D.C. Event logs for further details.

 

Likely causes are dns databases out of sync. Sites and services not setup correctly. Replication service failure. Network issues.

 

You will probably find that the sysvol share is no longer there on the D.C. Reporting errors. No sysvol no gpos.

It will come back once replication has been repaired, do not manually recreate it.

 

[Dan~]

when I do a repadmin /showrepl everything is reporting as fine.

 

That message in my last message has now since, but still unable to create a new secedit db on a users machine - Affecting around 20 computers

 

Any idea where to start?

 

From the users machine i can go to \\domain and get to the sysvol files no problem at all

[sc302 Veteran]

Is the dcdiag good too?

[Dan~]

Yes it passed all of them (helps if I ran cmd as administrator)

[sc302 Veteran]

Reboot the computer check its event logs after restart. If security and system event logs show no error after reboot try the gpupdate /force.

Also \\domain\sysvol isn't a valid test in your case.

\\dchostname\sysvol is

[Dan~]

We've tried that but it looks like this has been going on for months just no one ever noticed

[sc302 Veteran]

If you wish I can look at to get a better idea. TeamViewer is fine. Pm information. Otherwise I recommend a call to Microsoft. I would need access to your logs, config, and tools in your environment.

[Dan~]

Thought i’d update this.

 

it was because we were linking a gpo from one domain to another and the correct ports weren’t open

[Brandon H Supervisor]

that'll do it; definitely can't forget to check ports if going between domains

 

glad you god it sorted Dan