none
Lots of Event 1006 ErrCode 53 in a 2012 R2 Domain Controller.

    Question

  • Hi all,

    I have this very strange (and, I think, serious) problem on a DC.
    Here is the scenario:

    - Windows Server 2012 R2 as Domain Controller and DNS server
    - Currently no backup DC so the server is the only DC and handle all the FSMO roles and is a Global Catalog

    Some days ago I was in a RDP session on the server managing some configurations... when I tried to access Users And Computers Of Active Directory in Administrative Tools a very strange error occourred:

    Users and computers of Active Directory are not available from the domain controller <computername> for the following reasons: the server requests a more secure authentication method. Retry later. (my system language is italian so I translated as well as I can).

    The same happens with domains and trusts or GPO edit... long story short: I'm not able to control anything AD related.

    My user is an administrator (the administrator account I used to create the forest, the domain, the groups and the users) and every administrative aspect (except for AD) works without problems.

    So... I tried changing the administrator password using

    net user <adminaccount> *

    well... if I change the password with one complex enough (even if I turned off the complexity password requirements in GPO) and restart the server then I'm able to handle everything... for approximately 2 days... or something like that... then if I restart the server the problem shows again and I'm forced to change the password. Note that if I try to use a password I precedently used, then if I restart the system I encounter the problem again. Only fresh new and complex passwords make me able to control AD again for a limited time.

    All of this is followed by lots of Event 1006 ErrCode 53 in event viewer stating basically the same concept: it is impossible to execute the authentication with Active Directory service in a domain controller. The call to the LDAP binding function failed.

    It seems like... don't really know how to explain... there's some kind of password policy for AD authentication not synchronized with password policy for system authentication. As I said, I'm able to log on the server in RDP and managing every aspect except for AD (at least using snap-ins... if I use command line I'm able, for example, to reset a user password).

    This happens also for other admins... if I create a new admin and set a password he will be able to handle everything for some days and then, again, no AD authentication is possible.

    I found nothing anywhere... and I'm quite desperate... can you help me?!

    Thanks in advance.

    Sunday, January 31, 2016 5:21 PM

All replies

  • Hi,
    Firstly, please confirm the error code of event ID1006. Based on my search, the error ‘The call to the LDAP binding function failed’ should be code 49.
    Secondly, please check if there is firewall block and verify that all needed ports are open.
    In addition, you could have a try steps as below:
    1.run nltest /SC_QUERY: <server name>, it is used to query secure channel for Domain
    2.check the local host file. If It was full of entries, please removed these entries and try again.
    You could see more details from:
    http://clintboessen.blogspot.jp/2011/01/microsoft-windows-grouppolicy-event-id.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 01, 2016 8:44 AM
    Moderator
  • Hi,
    thank you very much for your answer!
    I searched a lot on technet and through internet and I often found references to the error code you mentioned. Sadly, in my case, the error is exactly what I wrote: ID 1006 error 53 (and same identical event description of error 49).
    At the moment the Windows Firewall on the server is completely deactivated so all ports are open (the server is reachable only from the LAN as it's behind a NAT).
    Will surely try the nltest and see what happen.
    As for host file I did take a look while trying to solve the problem and there are no entries.
    I looked at the link you wrote but it refers to error 49 and that's not my case.



    • Edited by Morotep Monday, February 01, 2016 9:15 AM
    Monday, February 01, 2016 9:14 AM