Endless Event ID 1006 & 1030 (source:Userenv) : LDAP local error

[Eric Ouvrie]

Hi,

I have a domain with 2 win2003 DCs and 1 win2000 DC
all with the latest SP.

On one of the Win2003 server, I have the following 2 Events
every 5 minutes (GPO application time on DC)
(On this Win2003 server, I have 2 NIC. Maybe it is relevant)

-Source:Userenv EventID:1006 "Windows cannot bind to mydomain.local
(Local Error). Group Policy processing aborted"
-Source:Userenv EventID:1030 "Windows cannot query for the lsit of Group
Policy Objects..."

Netdiag does not report any particular failure.

I set the user environment debug logging.
In userenv.log, I have :
GetGPOInfo: ********************************
GetGPOInfo: Entering...
GetGPOInfo: Server connection established.
GetGPOInfo: ldap_bind_s failed with = <82>
GetGPOInfo: Leaving with 0
GetGPOInfo: ********************************
ProcessGPOs: GetGPOInfo failed.
ProcessGPOs: No WMI logging done in this policy cycle.
ProcessGPOs: Processing failed with error 8341.
LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
ProcessGPOs: Computer Group Policy has been applied.
ProcessGPOs: Leaving with 0.
EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0
EnterCriticalPolicySectionEx: Machine critical section has been
claimed. Handle = 0x8f0
EnterCriticalPolicySectionEx: Leaving successfully.
LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
GPOThread: Next refresh will happen in 5 minutes

I found that the LDAP error <82> is LDAP_LOCAL_ERROR which matches
the eventID 1006 description.

After many Internet research, I have not found anything helpful.
How can I troubleshoot this ?
Anyone could help.

Thanks in advance.
Eric.

[Jorge de Almeida Pinto [MVP]]

have you configured the multihomed as follows:
(works for W2K3SP1 DCs)
* To stop the registration of the connections addresses in DNS on some NICs
UNCHECK the option "Register this connection's addresses in DNS" for the
particular NIC (Advanced TCP/IP Settings, DNS TAB)
* If NetBIOS over TCP/IP is not needed on some NICs disable it on the on the
particular NICs (Advanced TCP/IP Settings, WINS TAB) (this does prevent the
registration of the IP in WINS!)
* Configure the correct interface order. Open the Network Connections
applet, click on the Advanced pull-down menu, choose Advanced Settings. Make
sure the interface for which DNS records exist in DNS is at the top of the
connections pane
* If file sharing is not needed on some NICs disable File and Print Services
and the Microsoft Client Service on the particular NICs
* If NetBIOS over TCP/IP is not needed on some NICs disable it on the on the
particular NICs (Advanced TCP/IP Settings, WINS TAB)
* Using the DNS MMC, right-click the server name, select the Interfaces TAB
and select on which NICs (IP addresses) the server should listen for DNS
queries (if it hosts DNS)



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Eric Ouvrie" <inDOforNOTmaSENDtique@flp-sp.SPAMcom.br> wrote in message
news:uTjnV5mtGHA.644@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> I have a domain with 2 win2003 DCs and 1 win2000 DC
> all with the latest SP.
>
> On one of the Win2003 server, I have the following 2 Events
> every 5 minutes (GPO application time on DC)
> (On this Win2003 server, I have 2 NIC. Maybe it is relevant)
>
> -Source:Userenv EventID:1006 "Windows cannot bind to mydomain.local (Local
> Error). Group Policy processing aborted"
> -Source:Userenv EventID:1030 "Windows cannot query for the lsit of Group
> Policy Objects..."
>
> Netdiag does not report any particular failure.
>
> I set the user environment debug logging.
> In userenv.log, I have :
> GetGPOInfo: ********************************
> GetGPOInfo: Entering...
> GetGPOInfo: Server connection established.
> GetGPOInfo: ldap_bind_s failed with = <82>
> GetGPOInfo: Leaving with 0
> GetGPOInfo: ********************************
> ProcessGPOs: GetGPOInfo failed.
> ProcessGPOs: No WMI logging done in this policy cycle.
> ProcessGPOs: Processing failed with error 8341.
> LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
> ProcessGPOs: Computer Group Policy has been applied.
> ProcessGPOs: Leaving with 0.
> EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags
> 0x0
> EnterCriticalPolicySectionEx: Machine critical section has been
> claimed. Handle = 0x8f0
> EnterCriticalPolicySectionEx: Leaving successfully.
> LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
> GPOThread: Next refresh will happen in 5 minutes
>
> I found that the LDAP error <82> is LDAP_LOCAL_ERROR which matches
> the eventID 1006 description.
>
> After many Internet research, I have not found anything helpful.
> How can I troubleshoot this ?
> Anyone could help.
>
> Thanks in advance.
> Eric.

[Andrei Ungureanu [MVP]]

you didn't search enough :)
have you found this
http://www.eventid.net/display.asp?e...serenv&phase=1 ?

Maybe it helps,
--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader...lt2.asp?ref=au

"Eric Ouvrie" <inDOforNOTmaSENDtique@flp-sp.SPAMcom.br> wrote in message
news:uTjnV5mtGHA.644@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> I have a domain with 2 win2003 DCs and 1 win2000 DC
> all with the latest SP.
>
> On one of the Win2003 server, I have the following 2 Events
> every 5 minutes (GPO application time on DC)
> (On this Win2003 server, I have 2 NIC. Maybe it is relevant)
>
> -Source:Userenv EventID:1006 "Windows cannot bind to mydomain.local (Local
> Error). Group Policy processing aborted"
> -Source:Userenv EventID:1030 "Windows cannot query for the lsit of Group
> Policy Objects..."
>
> Netdiag does not report any particular failure.
>
> I set the user environment debug logging.
> In userenv.log, I have :
> GetGPOInfo: ********************************
> GetGPOInfo: Entering...
> GetGPOInfo: Server connection established.
> GetGPOInfo: ldap_bind_s failed with = <82>
> GetGPOInfo: Leaving with 0
> GetGPOInfo: ********************************
> ProcessGPOs: GetGPOInfo failed.
> ProcessGPOs: No WMI logging done in this policy cycle.
> ProcessGPOs: Processing failed with error 8341.
> LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
> ProcessGPOs: Computer Group Policy has been applied.
> ProcessGPOs: Leaving with 0.
> EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags
> 0x0
> EnterCriticalPolicySectionEx: Machine critical section has been
> claimed. Handle = 0x8f0
> EnterCriticalPolicySectionEx: Leaving successfully.
> LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
> GPOThread: Next refresh will happen in 5 minutes
>
> I found that the LDAP error <82> is LDAP_LOCAL_ERROR which matches
> the eventID 1006 description.
>
> After many Internet research, I have not found anything helpful.
> How can I troubleshoot this ?
> Anyone could help.
>
> Thanks in advance.
> Eric.

[Jorge Silva]

Hi

Here's more:
http://www.microsoft.com/technet/sup...renv&LCID=1033
Group Policy processing does not work and events 1030 and 1058 are logged in
the Application log of a domain controller

http://support.microsoft.com/?id=842804

Group policies are not applied the way you expect; "Event ID 1058" and
"Event ID 1030" errors in the application log

http://support.microsoft.com/?id=314494

Event 1030 and event 1058 may be logged, and you may not be able to start
the Group Policy snap-in on your Windows Small Business Server 2003 computer

http://support.microsoft.com/default...b;en-us;888943


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Andrei Ungureanu [MVP]" <contact me via www.itboard.ro> wrote in message
news:ug5P%23MntGHA.1288@TK2MSFTNGP02.phx.gbl...
> you didn't search enough :)
> have you found this
> http://www.eventid.net/display.asp?e...serenv&phase=1 ?
>
> Maybe it helps,
> --
> Regards,
> Andrei Ungureanu
> www.eventid.net
> Test our new EventReader!
> http://www.altairtech.ca/eventreader...lt2.asp?ref=au
>
> "Eric Ouvrie" <inDOforNOTmaSENDtique@flp-sp.SPAMcom.br> wrote in message
> news:uTjnV5mtGHA.644@TK2MSFTNGP03.phx.gbl...
>> Hi,
>>
>> I have a domain with 2 win2003 DCs and 1 win2000 DC
>> all with the latest SP.
>>
>> On one of the Win2003 server, I have the following 2 Events
>> every 5 minutes (GPO application time on DC)
>> (On this Win2003 server, I have 2 NIC. Maybe it is relevant)
>>
>> -Source:Userenv EventID:1006 "Windows cannot bind to mydomain.local
>> (Local Error). Group Policy processing aborted"
>> -Source:Userenv EventID:1030 "Windows cannot query for the lsit of Group
>> Policy Objects..."
>>
>> Netdiag does not report any particular failure.
>>
>> I set the user environment debug logging.
>> In userenv.log, I have :
>> GetGPOInfo: ********************************
>> GetGPOInfo: Entering...
>> GetGPOInfo: Server connection established.
>> GetGPOInfo: ldap_bind_s failed with = <82>
>> GetGPOInfo: Leaving with 0
>> GetGPOInfo: ********************************
>> ProcessGPOs: GetGPOInfo failed.
>> ProcessGPOs: No WMI logging done in this policy cycle.
>> ProcessGPOs: Processing failed with error 8341.
>> LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
>> ProcessGPOs: Computer Group Policy has been applied.
>> ProcessGPOs: Leaving with 0.
>> EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags
>> 0x0
>> EnterCriticalPolicySectionEx: Machine critical section has been
>> claimed. Handle = 0x8f0
>> EnterCriticalPolicySectionEx: Leaving successfully.
>> LeaveCriticalPolicySection: Critical section 0x8f0 has been released.
>> GPOThread: Next refresh will happen in 5 minutes
>>
>> I found that the LDAP error <82> is LDAP_LOCAL_ERROR which matches
>> the eventID 1006 description.
>>
>> After many Internet research, I have not found anything helpful.
>> How can I troubleshoot this ?
>> Anyone could help.
>>
>> Thanks in advance.
>> Eric.
>
>

[Eric Ouvrie]

Hi,

I have UNCHECKED the option "Register this connection's addresses in
DNS" on my WAN NIC but the WAN IP keeps on registering into my DNS
server.

Eric.


Jorge de Almeida Pinto [MVP] escreveu:
> have you configured the multihomed as follows:
> (works for W2K3SP1 DCs)
> * To stop the registration of the connections addresses in DNS on some NICs
> UNCHECK the option "Register this connection's addresses in DNS" for the
> particular NIC (Advanced TCP/IP Settings, DNS TAB)
> * If NetBIOS over TCP/IP is not needed on some NICs disable it on the on the
> particular NICs (Advanced TCP/IP Settings, WINS TAB) (this does prevent the
> registration of the IP in WINS!)
> * Configure the correct interface order. Open the Network Connections
> applet, click on the Advanced pull-down menu, choose Advanced Settings. Make
> sure the interface for which DNS records exist in DNS is at the top of the
> connections pane
> * If file sharing is not needed on some NICs disable File and Print Services
> and the Microsoft Client Service on the particular NICs
> * If NetBIOS over TCP/IP is not needed on some NICs disable it on the on the
> particular NICs (Advanced TCP/IP Settings, WINS TAB)
> * Using the DNS MMC, right-click the server name, select the Interfaces TAB
> and select on which NICs (IP addresses) the server should listen for DNS
> queries (if it hosts DNS)

[Eric Ouvrie]

Hi,

I manually deleted the WAN IP entry in the DNS server and waited for the
next GPO processing.
It works fine. The userenv.log show : "GetGPOInfo: Bound successfully"
And no error appeared in the event log.

So this is the solution ! Thank you very much Jorge.

But I STILL have a problem : I disable and re-enable the WAN NIC (to
simulate a new boot) and the WAN IP keeps on registering into my DNS
server even when the option "Register this connection's addresses in
DNS" is UNCHECKED.

Eric.


Jorge de Almeida Pinto [MVP] escreveu:
> have you configured the multihomed as follows:
> (works for W2K3SP1 DCs)
> * To stop the registration of the connections addresses in DNS on some NICs
> UNCHECK the option "Register this connection's addresses in DNS" for the
> particular NIC (Advanced TCP/IP Settings, DNS TAB)
> * If NetBIOS over TCP/IP is not needed on some NICs disable it on the on the
> particular NICs (Advanced TCP/IP Settings, WINS TAB) (this does prevent the
> registration of the IP in WINS!)
> * Configure the correct interface order. Open the Network Connections
> applet, click on the Advanced pull-down menu, choose Advanced Settings. Make
> sure the interface for which DNS records exist in DNS is at the top of the
> connections pane
> * If file sharing is not needed on some NICs disable File and Print Services
> and the Microsoft Client Service on the particular NICs
> * If NetBIOS over TCP/IP is not needed on some NICs disable it on the on the
> particular NICs (Advanced TCP/IP Settings, WINS TAB)
> * Using the DNS MMC, right-click the server name, select the Interfaces TAB
> and select on which NICs (IP addresses) the server should listen for DNS
> queries (if it hosts DNS)
>
>
>

[Eric Ouvrie]

To avoid registering NIC IP on DC with DNS services:
http://support.microsoft.com/kb/292822/

On member server with DNS services:
http://support.microsoft.com/kb/275554/


Eric Ouvrie escreveu:
> Hi,
>
> I manually deleted the WAN IP entry in the DNS server and waited for the
> next GPO processing.
> It works fine. The userenv.log show : "GetGPOInfo: Bound successfully"
> And no error appeared in the event log.
>
> So this is the solution ! Thank you very much Jorge.
>
> But I STILL have a problem : I disable and re-enable the WAN NIC (to
> simulate a new boot) and the WAN IP keeps on registering into my DNS
> server even when the option "Register this connection's addresses in
> DNS" is UNCHECKED.
>
> Eric.

[Eric Ouvrie]

Hi,

IT STARTED AGAIN...

As it was adviced, I stopped my WAN IP registration in DNS by :
- unchecking the option "Register this connection's addresses in DNS"
- Adding
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\PublishAddresses=[MyLanIP]
- Adding
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords=0
- Restarting DNS Server and Netlogon services
(see KB 292822)
These actions stop my WAN IP registration in DNS, and the error 1006 and
1030.

I also disabled NetBIOS over TCP/IP on my WAN NIC.
I also put my LAN interface on top in the Network Connections' Advanced
Settings.

After one boot, the events ID 1006 and 1030 has started again every 5
min. (same reason as before).

Obs : the DNS server has internet and intranet zones. It must listen on
both interfaces.

Any Ideas ?
Eric.

[Eric Ouvrie]

Hi,

I have some more information.

On this server, ISA 2004 is running as well.
I noticed that, everytime GPO are being processed, I have LDAP
packages being denied :
Source IP : WAN IP
Destination IP : LAN IP
Protocol : TCP 389

Why the GPO process would be using my external IP ?
How to modify that ?

Eric.

[Jorge Silva]

Hi

First, you should know that running ISA Server on DC is a Bad practice
(assuming that you're running in a DC) this type of configuration represents
security issues.

Second, next time that you post a problem make sure that you refer the any
type of relevant software (Like ISA) that you're running in the Computer,
because this might help the persons here to give you better answers

Now the problem:

As Jorge Pinto Said, make sure that in your public interface, TCP/IP
Advanced settings:

Deselect the option of DNS registration, disable the NetBIOS over TCP/IP.

In the public interface make sure that you don't have File and Print Sharing
for MS Networks.

After this, open the ISA management console, select the FW Policy on the
left pane, on the right pane select the option edit system policy, go to the
option Microsoft Management Console, select the from tab, select the remote
management computers and choose edit, Add your subnet "192.168.0.0/24",
click ok, ok.., don't forget to Apply the changes on the ISA management
console, reboot the server, and check if the error still occurs.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Eric Ouvrie" <inDOforNOTmaSENDtique@flp-sp.SPAMcom.br> wrote in message
news:OStlv4kuGHA.3264@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> I have some more information.
>
> On this server, ISA 2004 is running as well.
> I noticed that, everytime GPO are being processed, I have LDAP
> packages being denied :
> Source IP : WAN IP
> Destination IP : LAN IP
> Protocol : TCP 389
>
> Why the GPO process would be using my external IP ?
> How to modify that ?
>
> Eric.