Hii guys

i have a windows 2008 R2 forest that only contains 2 2008R2 sp1 domain controllers. recently i had promoted a new ADC at my DR site. 

ADC was successfully promoted and automatic connections was created to the Head office site and DR site. things are looking really fine.

but in my event log of new ADC i see the following events appear. 

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

EventID-1006
ErrorCode-49

The Security System could not establish a secured connection with the server LDAP/DRsrv.Domainname/DomainName@DomainName. No authentication protocol was available.

EventID>40961

Then i tried to manually replicate the DR server with HOD servers but its failed with access denied error.

Please provide me with a solution. 

Thanks

Did you happen to check below Technet article?

http://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx

accoring to which ,

Error code 49 (Invalid credentials)

This error code might indicate that the user's password expired while the user is still logged on the computer.

To correct invalid credentials: 

1. Change the user's password.
2. Lock/unlock the workstation.
3. Check if there are any system services running as the user account.
4. Verify the password in service configuration is correct for the user account.

additionally refer below thread which disccuss the same issue

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3fdc100f-16cb-4d4d-b1ca-4ce00bc7bbcc

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/9658df5c-6b61-4f92-91fc-93ffe6318c88

If none of the above mentioned works then refer below article

http://clintboessen.blogspot.in/2011/01/microsoft-windows-grouppolicy-event-id.html

Hope this infomration helps

Regards,

_Prashant_

YES i check all of them.

Hotfix is not applicable becouse i'm using 2008r2.

User account is domain administrator, it isn't get locked.

there are not any Hostfile entries. 

Thanks.

Intresting!!!!

Ok,

I would suggest you to post unedited ipconfig /all from your ADC.

and make sure your IPV6 is not disabled on the ADC. It should be enabled

Regards,

_Prashant_

Check below link:
http://eventid.net/display.asp?eventid=1006&eventno=10293&source=Microsoft-Windows-GroupPolicy&phase=1
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/387b8f88-ea25-4d61-86cb-7f4a0bb7683f

It could be also due to dns name resolution issue.Ensure the following on DC:
1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
2. Each DC has just one IP address and single network adapter is enabled.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.

Note:Also make sure the IPv6 is configured to dynamic (Automatically).

I would recommend post ipconfig details of DC,dcdiag and repadmin /replsum output if the issue persist.

 @Asitha De Silva You might want to look at your reverse lookup zones as well, making sure its configured correctly.

Take a look at below two article, might provide you some headway.

http://blogs.technet.com/b/ad/archive/2009/03/20/downgrade-attack-a-little-more-info.aspx

http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx

If this is a DC, I wonder what your dns configuration is looking like?  Please run from a command prompt and post an IPCONFIG /all

Are there any firewalls that could be blocking ports between the two?

Check out this EventLog site with others that have had the same failure as you.
http://eventid.net/display-eventid-40961-source-LsaSrv-eventno-1398-phase-1.htm

--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

Hii

Sorry for the delay response.

issue is been solved. i had checked all the links you guys referred. but hardly found an solution. the issue is been vanished with time. 
the only guess i have is firewall ports. may be some ports were blocked.

thanks everyone for your kind response.

Good know that issue has been resolved. However We don't have a exact root cause for this

Cheers,

_Prashant_

I know this thread is over 2 years old, however I found the same issue on our RD server, and the issue turned out to be drive mappings to the (single) DC using saved credentials (different to the user's log on account) and the password had expired.  Just disconnecting/deleting the mapped drives didn't fix it, I had to go into the Windows Credentials Manager (vault) and delete the saved credentials, then after a log-off & on the group policies worked OK again.  

Cheers
Matthew

This solution worked for me. I have been struggling with this for one month. I tried removing and re-joining the server to the domain but was of no use. Finally cleared all stored passwords from the Windows Credentials Manager (Vault) and succeeded.

Thanks man, I have just ran into a similar issue, wasted a whole week on event viewer.