Group Policy Preprocessing (Active Directory) Alert

This error may occur on Windows 2008 servers

Group Policy Preprocessing (Active Directory) Alert
Alert Description

Source:
Server name
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Active Directory Bind Monitor

Summary

Group Policy Preprocessing (Active Directory)

Group Policy processing requires Active Directory. The Group Policy service reads and updates information stored in Active Directory. The absence of Active Directory (or a domain controller) prevents Group Policy from applying to the computer or user.

Resolutions

Correct binding to the directory

The Group Policy service logs the error code. This information appears on the Details tab of the error message in Event Viewer. The error code (displayed as a decimal) and error description fields further identify the reason for the failure. Evaluate the error code with the list below:

  • Error code 5
  • Error code 49
  • Error code 258

Error code 5 (Access is denied)

This error code might indicate that the user does not have permission to Active Directory.

To correct permissions for accessing Active Directory:

Use Active Directory troubleshooting procedures to further diagnose the problem.

Error code 49 (Invalid credentials)

This error code might indicate that the user’s password expired while the user is still logged on the computer.

To correct invalid credentials:

  • Change the user’s password.
  • Lock/unlock the workstation.
  • Check if there are any system services running as the user account.
  • Verify the password in service configuration is correct for the user account.

Error code is 258 (Timeout)

This error code might indicate that the DNS configuration is incorrect.

To correct timeout issues:

Use the nslookup tool to confirm _ldap._tcp.<domain-dns-name> records are registered and point to correct servers (where domain-dns-name is the fully qualified domain name of your Active Directory domain).

Use Active Directory troubleshooting procedures to further diagnose the problem.

Note: These steps may have varying results if your network constrains or blocks ICMP packets.

This knowledge is identical to http://technet.microsoft.com/en-us/library/cc727283(WS.10).aspx about event ID 1006.

Additional error codes for event 1058  can be found at http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx

If you follow the link in the knowledge to do troubleshooting AD then you go to http://technet.microsoft.com/en-us/library/cc732148(WS.10).aspx and get told that “The document that you are attempting to access is not yet available.” even though it is dated 7th November 2008.

There is a hotfix for Windows 2008 servers that this applies to.

http://support.microsoft.com/default.aspx?scid=kb;en-us;950876&sd=rss&spid=12925

Information

Alert is “Active Directory Search Monitor” from Group Policy 2008 MP. It is looking for event 1080 in System and is a Manual Reset monitor. The same named alert is from “Active Directory Bind Monitor” and is looking for event 1006 and is also a Manual Reset.

NB as this is a monitor you have to do Reset Health in Health Explorer and not just Close the alert. These alerts rollup for Availability and will create the calculated alerts (AD Domain Availability Health Degraded and  AD Site Availability Health Degraded) for the domain if more than 60% of DCs are affected.

OpsMgr is R2 and AD MP is v6.0.6452.0.

Advertisements

Comments are closed.

%d bloggers like this: