Event ID - 53

Event Id53
SourceActive Directory Rights Management Services
DescriptionActive Directory Rights Management Services (AD RMS) failed to establish a connection to Active Directory Domain Services (AD DS).
Event InformationAccording to Microsoft :
Cause :
This event is logegd when Active Directory Rights Management Services (AD RMS) failed to establish a connection to Active Directory Domain Services (AD DS).
Resolution :
Fix Active Directory Domain Services issues
AD RMS uses Active Directory Domain Services (AD DS) to look up users that are publishing and consuming rights-protected content. If AD DS is not available, users will not be able to use AD RMS.
Use the following to fix Active Directory Domain Services issues:
1)Ensure that the AD RMS service account has read access to AD DS.
2)Check network connectivity to the AD DS global catalog servers.
3)Open TCP port 3268 on global catalog servers.
4)Check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct.
5)Restart the AD RMS server.
Ensure that the AD RMS service account has read access to AD DS
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To ensure that the AD RMS service account has read access to AD DS:
1.Log on to a domain controller in the AD RMS forest.
2.ClickStart, point toAdministrative Tools, and then clickActive Directory Users and Computers.
3.Click Users.
4.Right-clickDomain Users, and then clickProperties.
5.Click theMembers tab and verify that the AD RMS service account is a member of the Domain Users group.
6.If the AD RMS service account is not a member of the Domain Users group, you should add it.
Note :
If you had to add the AD RMS service account to the Domain Users group, you must restart IIS on each AD RMS server in the cluster by running iisreset at a command prompt.
Check network connectivity to AD DS global catalog servers
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check network connectivity from AD RMS server to AD DS global catalog server:
1)Typeipconfig /all at a command prompt on the AD RMS server. Make sure that the AD RMS server has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
2)Typeping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
3)Type ping ip_address, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
4)Ping the AD DS global catalog server. If you cannot ping the AD DS global catalog server, this indicates a potential problem with the AD DS global catalog server, or the network in between the AD DS global catalog server and the AD RMS server in the cluster.
Open TCP port 3268 on AD DS global catalog servers
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To open TCP port 3268 on AD DS global catalog servers:
1.Log on to the AD DS global catalog server.
2.ClickStart, and then clickControl Panel.
3.ClickAllow a program through Windows Firewall.
4.Click theExceptions tab.
5.ClickAdd Port.
6.In theName box, typeAD DS Global Catalog.
7.In the Port number box, type3268.
8.ClickOK two times.
Check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct:
Caution:
Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
1.Log on to a AD RMS server in the cluster.
2.ClickStart. In the Start Search box, typeregedit, and then press ENTER.
3.Navigate toHKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\2.0.
4.If aMinGC entry exists, make sure you have enough global catalog servers to fulfill this request and that the value in the registry is not NULL.
5.If aThreshHoldAlive entry exists, make sure that the value in the registry is greater than or equal to 1.
6.If you change either of these registry settings, runiisreset from a command prompt.
Note :
The value 1 for the MinGC registry entry is the default AD RMS installation value.
Restart the AD RMS server
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To restart the AD RMS server:
1.Log on to the AD RMS server.
2.ClickStart, point to the right arrow, and then clickRestart.
3.On theShutdown Event Tracker, in the Comment box, type Restarting AD RMS server to restore AD DS connectivity, and then clickOK.
Note :
Restarting the AD RMS server should only be done if the previous sections do not resolve the issue.
Verify :
To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.
Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.
To verify that AD RMS can access the Active Directory Domain Services forest:
1.Log on to an AD RMS-enabled client computer.
2.ClickStart, point toAll Programs, point to Microsoft Office, and then clickMicrosoft Office Word 2007.
3.In the new document typeThis is a test document.
4.Click theMicrosoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
5.Select theRestrict permissions to this document check box.
6.Type another AD RMS user's e-mail address in theRead box, and then clickOK.
7.Send this file to the person who was granted access in step 6.
8.Have this person open the document and verify that he or she cannot do anything else other than read the document, such as print it.
Reference LinksEvent ID 53 from Source Active Directory Rights Management Services

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.