Lots of Event 1053 Errors

My event log, under application, is filling up with event id 1053, with this text:

Windows cannot determine the user or computer name. (There are no more endpoints available from the endpoint mapper. ). Group Policy processing aborted.

About every 5 minutes another one is added.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

ChiefITConnect With a Mentor Commented:

This is what I am thinking>

DFS (Distirbutive File Services) is responsible for distributing out GPOs. GPOs are first saved in SYSVOL. Then DFS uses Netbios broadcasts send out these shares to the local subnet. The only problem with that is netbios uses broadcastsed messages and it is not a routeable protocol. NON-routeable means that it will not go through a VPN tunnel, across a firewall, or over any sort of NAT.

To fix this issue, you will need netbios over TCP/IP for all computers within each subnet and you need something to transport from one subnet to another. There are two methods of doing just that for DFS.

So here are your fixes:
1) USE WINS between the two sites. Create a WINS server out of your lead server per subnet. What I mean by a lead server is the one that holds the FSMO roles. Below is an article that explains how to use WINS to go across a WAN configuration for the Browser service. This article will help you configure WINS as a transport between the two sites.


Alternative fix: Fix 2) An alternative fix is to use DNS as the transport for DFS:
PLEASE NOTE: Please look at the key ports used by Windows 2003 anything using ports 137, for WINS and Netbios datagram ports 138 and 139 are effected if you do not use WINS. If all you are after is DFS, then you could use DNS. So, there are drawbacks to using DNS.

Dropping your pants by disabling the firewall and AV products are just a test, and yes it's not a good idea. So, the test are done and you still probably still don't have what you need, because Netbios is not routeable.

What you should do is pay attention to what uses IP ports for netbios. Those would be Netbios/WINS port 137,  and netbios datagram ports 138, and 139. Without WINS, you will not be able to get to Site 2. So, let's review what key functions use these ports. If you want all services availlable between the LAN, you will have to use Fix 1;

This article for reference on the ports used by Key Serivices of 2003 server:
2) The Domain Browser Service
3) DFS
4) License logging service
5) messanger
6) Netlogon
7) performance logs and alerts.
8) print spooler
9) RPC
10) SERVER service
11) System management service

With that said, I think the full range of symptoms you will have is:
~~Computers from the remote site will not show up in MY NETWORK PLACES.
~~The print spooler will not work on a remote site
~~You can't run files using RPC from the remote site and may have RPC is unavailable.
~~You can't view performance logs and alerts from the remote site.
~~You will probably have events 1030 can't get GPO, 1058 can't get GPO, 1053 as you are seeing,  and might see 8032 master browser conflict, 8032 master browser conflict.

*****IMPORTANT: Prior to applying the fixes, you can enable AV and firewalls.

Attached is a free body diagram that illustrates what you want. Use Netbios over TCP/IP to broadcast between clients and server on the same subnet. Then, use WINS to communicate between the two subnets. Disregard the part that says, here is your problem. Since you don't seem to have problems with the clients and server, all you may have to do is enable WINS on the subnet's master server.

For the browser service, I recommend you use the same article and make sure you have a master browser per subnet and a backup browser.

I hope this helps, and let me know if you have any questions.
dougp23Author Commented:
dcdiag:  cpmmand not found
netdiag:  command not found

Looks like I don't have these installed.  How do I get them installed?  Win2K3 SP2
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

dougp23Author Commented:
OK, installed both of them.  

DcDiag ran pretty cleanly.

NetDiag provided this little pearl:

DNS test . . . . . . . . . . . . . : Failed

    [WARNING] The DNS entries for this DC are not registered correctly on DNS se

rver ''. Please wait for 30 minutes for DNS server replication.

    [FATAL] No DNS servers have the DNS records for this DC registered.

Now, THIS server IS how do I tell the server that to get to himself, he should ask...himself??
dougp23Author Commented:
Also, under DNS, my server is showing 2 forward lookup zones.


I would imagine I only need TOWN.COM?  Is the fact that TOWN is in there confusing things?

Under Town.com I have an A record that says

So it seems like this DNS *should* know how to resolve itself....

Hope this helps!
most likely you will need to keep town.com

run a netdiag /fix then a netdiag again and see what comes back.

Also in tcp ip properties for the lan connection you have the first DNS server set to itself (internal IP address) and the second to another internal DNS machine.
There should NOT be an ISP server in there
dougp23Author Commented:
TCP/IP Properties (2 NIC Cards) has preferred DNS of and no secondary DNS.
The 2nd NIC is capturing VOIP traffic to record calls that we need recorded, so it has a IP with a DNS.  Note that we run NO 10.x IPs, so I would imagine this interface cannot communicate out at all.

Ran netdiag  /fix, then netdiag again.  

The interesting (I think) parts:
NetBT name test. . . . . . : Passed                                             [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.                                                   No remote names have been found.                                                                                                                            WINS service test. . . . . : Skipped                                                There are no WINS servers configured for this interface.                                                                                                

DNS test . . . . . . . . . . . . . : Passed                                         PASS - All the DNS entries for DC are registered on DNS server '' and other DCs also have some of the names registered.                                                                                                                                                                                        

I will clear out the EL, and see if they keep happening.
Ar you running synaptec end point protection?
dougp23Author Commented:
no, no endpoint security.  OK, I followed some MS Technet docs, and I had no "endpoints" available, so did what they said.  They then said to do a portqry and see if certain ports were being blocked.  So, I did this, from the Town server:

portqry -n servername.police.org -o 1094,1025,1029,6004
Name resolved to

TCP port 1094 (unknown service): NOT LISTENING

TCP port 1025 (unknown service): NOT LISTENING

TCP port 1029 (unknown service): NOT LISTENING

TCP port 6004 (unknown service): NOT LISTENING

Any ideas?  Again, both buildings connect via fiber, so I don't think my firewall for the network is blocking this stuff.  Both servers have their network cards firewalls shut off.
So after a /fix the errors are still occuring?
dougp23Author Commented:
Well, they've changed.  Event ID 4521 with information 9002.  Which I think is due to that police server not listening on those ports.  Perhaps I should close this question and open a new one, since I am no longer getting 1053 errors.  Or I'll bump the points up.
I am going to review what we have for info. I'll admit these endpoint mappers and certs for the RPC service over VPN are not one of my strong points. If you don't mind, will you leave this open.
In the meantime, i was on another post where the technet article didn't help, but this MS article provided the right key to the solution.
The ports on your portqry that are "not listening" are not key to 2003 server services:

TCP port 1094 (unknown service): NOT LISTENING
TCP port 1025 (unknown service): NOT LISTENING
TCP port 1029 (unknown service): NOT LISTENING
TCP port 6004 (unknown service): NOT LISTENING


So, what is perplexing to me is why isn't it working?
OK: The article that I provided says:
From the output, you know the DC is using port 1094 for FRS and 1025, 1029, and 6004 for Active Directory replication.

antivirus software May be blocking ports above 1024.

Please see step 4 of the article above. It describes your problem to a T.
dougp23Author Commented:
I had found KB839880 already, and yes I agree step 4 is a real wakeup.  But what they don't tell you is how to fix it.  I am against turning off the firewall on the server, but OK, I turned it off.  Now, I should turn off my antivirus too??  Only MS would offer this up as a solution!!

My Antivirus has no built in firewall, so I am just totall stumped, and ready to say "forget it, people will have to keep track of 2 logins".  Not my favored solution, but where else do I go from here?

If this helps, the prtqry from Town reported back properly on POlice, but a portqry on Police says it can't resolve the name accounting.town.com.  Is that a prob?  Remember, the folder I want to share is on Town, but the users are on Police.  Not sure if this matters.
I would turn it all off to test and see what happens.
Excellent!! I am glad to see this worked for you. Thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.