adeelminhaj
asked on
The directory service was unable to allocate a relative identifier
I took complete backup (1st option "Backup every thing in my computer) of my Active Directory Server (windows 2000), using 'NTBACKUP'.
In fact I've 2 AD servers (windows 2000) in my production network. But all the 5 roles exists in the 1st AD server (which I took the backup for) and it is a 'Global catalog' server as well. Infact both the servers are 'Global catalog' servers.
Now I'm trying to restore the 1st AD server with a fresh OS installation. After installing Windows 2000, I've not configure any network settings or any other thing.
Restart the server in 'Directory Services Restore Mode'.
Run the 'NTBACKUP' utility.
Drive the 'Restore Wizard'. Import the backup file (to be restored)
In the advance options, 1st option was 'How to Restore'. I select the last option 'Always replace the file on disk'.
In the next screen (regarding the security), I select the 1st check box (Restore security)
and the 3rd check box (Restore junction points, not the folders and file data they reference)
After the restore was completed, I've restarted te machine.
Now I can logon as an administrator normally. I can create, delete and move OUs.
But when I try to create a user account, I got this error message
" Windows cannot create the object because the Directory Service was unable to allocate a relative identifier. "
receive the following event message in the NT Directory Service (NTDS) event log:
Event 16650
MessageId=0x410A
SymbolicName=SAMMSG_RID_IN
Language=English
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
Thats all about it. Any idea whats going wrong in there ?
In fact I've 2 AD servers (windows 2000) in my production network. But all the 5 roles exists in the 1st AD server (which I took the backup for) and it is a 'Global catalog' server as well. Infact both the servers are 'Global catalog' servers.
Now I'm trying to restore the 1st AD server with a fresh OS installation. After installing Windows 2000, I've not configure any network settings or any other thing.
Restart the server in 'Directory Services Restore Mode'.
Run the 'NTBACKUP' utility.
Drive the 'Restore Wizard'. Import the backup file (to be restored)
In the advance options, 1st option was 'How to Restore'. I select the last option 'Always replace the file on disk'.
In the next screen (regarding the security), I select the 1st check box (Restore security)
and the 3rd check box (Restore junction points, not the folders and file data they reference)
After the restore was completed, I've restarted te machine.
Now I can logon as an administrator normally. I can create, delete and move OUs.
But when I try to create a user account, I got this error message
" Windows cannot create the object because the Directory Service was unable to allocate a relative identifier. "
receive the following event message in the NT Directory Service (NTDS) event log:
Event 16650
MessageId=0x410A
SymbolicName=SAMMSG_RID_IN
Language=English
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
Thats all about it. Any idea whats going wrong in there ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oBda / Casca1 :
Thanx alot for all those KB links, those were quite useful but I've not found my senerio there.
Since I took it off-line from production network and put it in a temporary network, in such a scenerio now I've only one AD server.
Now what should I do after the restoration to rectify the problem ?
Thanx alot for all those KB links, those were quite useful but I've not found my senerio there.
Since I took it off-line from production network and put it in a temporary network, in such a scenerio now I've only one AD server.
Now what should I do after the restoration to rectify the problem ?
I would attempt an authoratative restore.
ASKER
Guys, as I've mentioned I've 2 AD servers in my production network. To restore the target server, I put it on a separate network (non-production), as recommended in Kbase documents.
So right after the restore, when I restarts the server and try to create a new user account, it starts replication with its companion server to allocate a relative identifier, there it fails to replicate because its not in the production network. I guess this was the root cause of my problem.
When I restored both the servers off the production network, it works fine.
So right after the restore, when I restarts the server and try to create a new user account, it starts replication with its companion server to allocate a relative identifier, there it fails to replicate because its not in the production network. I guess this was the root cause of my problem.
When I restored both the servers off the production network, it works fine.
Huh; The KB article says to restore OFFLINE??? wild. Even though you have put it on a seperate subnet, it is considered offline because it's not in the production environment. An authoratative restore is sorta like that... But only sorta.
ASKER
Casca1 : don't be so emotional and have a look @ the KB documents.
Emotional? How about emphasis.
I did read the KB; Checked it again to verify I had read it correctly.
I re-iterate: Wild.
I did read the KB; Checked it again to verify I had read it correctly.
I re-iterate: Wild.
How come a pre-req of this site isn't a mastery of the english language? I find it very hard to communicate with people who start sentences off like "I took complete backup". Seriously.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787
You might be able to work around the issue and force the AD#2 into the FSMO role. I would delegate all 5 operations over to it, and then try to force replication. That might fix your problem.
I got the link from oBdA's first KB link, so I can't take credit! 8-)