When try to create a new ADS account we see the error below in the JCS log, it's possible to modify the ADS account from Provisioning Manager, but can not create a new one.

LDAP: error code 53 - Unwilling To Perform

Identity Manager 14.x

When try to create a new ADS account we can see the error message in the Event Viewer (System)

"The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Look for other SAM event logs that may indicate the exact reason for the failure."

This is a Microsoft issue, please, contact your Microsoft/ADS support to fix the issue.

You can find more details about it in the Microsoft link below:

Event ID 16650: The account-identifier allocator failed to initialize in Windows Server

If the information above is not your case, please, see the KB article:

LDAP: error code 53 - Unwilling To Perform