LDAP bind error 31 errors

I. Attempt to reset the computer account password and force a refresh of Kerberos tickets:

• Use the Netdom tool from the Windows Support Tools to reset the machine account password.
  
  netdom resetpwd /server:<computername> /userd:<domain>\administrator /passwordd:<password>
  
  Note Run the command on the problem domain controller. <computername> is any domain controller other than the domain controller with the invalid password.
  
• Set the Kerberos Key Distribution Center (KDC) service to manual on the problem domain controller and reboot.
  
• After the reboot, start the KDC service and change it back to Automatic.
  
• If the problem persists even after the above steps, try the following:
1. Sometimes the HKEY_LOCAL_MACHINE\Security\Policy\PolAcDmN registry key is set to the computer name instead of the NetBIOS domain name. Use Regedt32 to view this value as Regedit does not display REG_BINARY values properly.
   
2. In Regedt32, highlight the No Name value and choose Display binary data from the View menu.
   
3. Confirm that the value in HKEY_LOCAL_MACHINE\Security\Policies\PolPrDmN is set to the NetBIOS domain name.
   
4. Copy that value and paste it into HKEY_LOCAL_MACHINE \Security\Policies\PolAcDmN.

II. Missing trustedDomain object.

If the trustedDomain object is missing, there will usually be an Event ID 1265 logged in the directory service event log referencing a "Target account name is incorrect" error. If the error is being reported for replication between two domain controllers of different domains which have a parent/child or tree root trust relationship, this error may be the result of a missing object that represents the trust relationship between the two domains. This object is known as a trustedDomain object and is found in the System container in Active Directory Users and Computers. If this object is not present, cross-domain authentication will fail. For more information see KB article 257844.

To resolve this issue perform the following steps:

Note This procedure should only be performed if the trustedDomain object for the remote domain is not present in the System container.

1. From the domain that is generating the Event ID 1265 or “LDAP Bind error 31” error messages, open Active Directory Domains and Trusts on the domain controller that holds the PDC Emulator operations master role for the domain. Right-click the object that represents the domain, and then select Properties.
   
2. Click the Trusts tab, and click Add to create both sides of the trust relationship to the remote domain. Because this would normally be a Kerberos trust, creating both sides of the trust is required. Creating the trusted side first generates the error message "Active Directory cannot verify the trust. Access is denied."
   
3. Click OK. Note that Active Directory Domains and Trusts displays the trust as a transitive, shortcut trust. Adding the trusting side generates the message "To verify the new trust, you must have permissions to administer trusts for the domain <domain name>. Do you want to verify the new trust?”
   
4. Click Yes, and supply the administrator credentials for the remote domain. When prompted for credentials, specify the NetBIOS domain name as well as the user name, i.e., CONTOSO\Administrator. The following error message is generated:  "Active Directory cannot verify the trust. Access is denied."
   
5. Click OK. Again, note that Active Directory Domains and Trusts displays the trust as a transitive, shortcut trust.
   
6. After both sides of the trust are created, run the Netdom command below (Netdom is included in the Windows 2000 Support Tools):
   
   netdom trust <local_domain> /domain:<remote_domain> /userd:administrator /passwordd:* /usero:administrator /passwordo:* /reset /twoway
   
   Where <local_domain> is the domain on which the trust is being created and <remote_domain> is the parent, child, or root domain being trusted. In either case, the fully qualified domain name (FQDN) should be used, i.e. "Contoso.com". This should result in the following message:
   
   Type the password associated with the domain user:  (This is UserD)
   
   Type the password associated with the object user:  (This is UserO)
   
   Resetting the trust passwords between <local_domain> and <remote_domain>. The trust between <local_domain> and <remote_domain> has been successfully reset and verified.
   
   The command completed successfully.
   
   
7. Reboot the domain controller where these changes were made.
   
8. After rebooting, wait several minutes for Active Directory to establish a secure channel and the Knowledge Consistency Checker (KCC) to attempt to re-establish replication links to the domain controllers in the remote domain. During this period, test that logons across the trust relationship are successful and that no errors are logged in the directory service event log.