Splunk_TA_Windows error: DsBind failed (1753)

I started seeing the error DsBind failed (1753) in Splunk’s _internal index shortly after a Domain Controller replacement project. The error was only occurring on two DCs:

The first thing I checked was the configuration in inputs.conf. We are using the Splunk_TA_Windows add-on to collect Security Event Logs, with a separate inputs app to deploy to servers. I didn’t expect any issues with the config as the errors were only occurring on two DCs, but it never hurts to check. As expected it was fine – all DCs are configured to use localhost for SID resolution.

[WinEventLog://Security]
evt_dc_name = localhost

I was at a bit of a loss with this error message as there wasn’t much to go on and a quick google search didn’t reveal anything useful so I decided to look up the system error code on docs.microsoft.com. Error code 1753 means: “There are no more endpoints available from the endpoint mapper”.

I did another google search using this new information and found a troubleshooting article for AD replication. It wasn’t about my specific issue… but the error code matched so I figured it was worth a read: https://support.microsoft.com/en-nz/help/2089874/troubleshooting-ad-replication-error-1753-there-are-no-more-endpoints

Trying to match the symptoms listed in the article, I ran DCdiag on one of my problem Domain Controllers. I didn’t get an endpoint mapper error, but the error I got was much more useful:

Then I opened server manager and this message popped up:

Problem solved. For whatever reason, the setup process for these two Domain Controllers hadn’t been completed. The AD role had been installed, but dcpromo was never run.  After completing initial configuration of the Domain Controllers, the error went away. The error message was a bit misleading, but I got there in the end.

Rate this post:
Share this post:

Leave a Reply