Domain Controller error

Windows 2000 and SP2.

I get the following error.
I have looked in the Microsoft Support site and I have tried to run these tests but something is missing.

Event Type:     Error
Event Source:     SAM
Event Category:     None
Event ID:     16650
Date:          2002-03-05
Time:          12:51:30
User:          N/A
Computer:     VGMA03
The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.
0000: a7 02 00 c0               §..À    
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikecrIT Architect/Technology Delivery ManagerCommented:
What are your symptoms if any? Are you experiencing any problems?
Do you have other DC's or any legacy Nt 4.0 PDC's on the net?
qubiacAuthor Commented:
The problem is that I could register one more AD server and I could replicate it to my new AD server.
But for some reason that don´t work anymore and I get the error that you see above.
We had old servers in our network before, but not anymore so I changed that AD mode to Native.
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

In your User rights permissions, grant the Enterprise Admins group the user right
"Access this computer from the network", if Enterprise Admins does not have this permission.

then refresh your Security Policy using the foll command


Try this out and let me know if it resolves ur problem.

If it doesn't then try the steps mentioned in Technet Article Q248410


qubiacAuthor Commented:
I have tried alot of different things with this problem.
I installed netdiag.exe which analyses the network for errors from the selected server. Look below for the error that it reported, what can I do to fix that?

LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/' is
 missing on DC ''.
    [WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC ''.

and I also got this one

Trust relationship test. . . . . . : Passed
    Secure channel for domain 'DOMAIN' is to '\\SERVER2'.
    Cannot test secure channel to PDC emulator since you are not an administrator.

Any ideas?
Do you have another DC?  If so, use ntdsutil to delete the bad references to this server.
qubiacAuthor Commented:

Yes, I think about doing that. But it seems somewhat difficult to delete the references?
Do you have advice for me how to do it?

qubiacAuthor Commented:
Thanks I found it and I´m currently removing the info from my primary DC.
qubiacAuthor Commented:
Ok, I think that I got everything removed now from the DC. Now I want to re-add my other DC to the primary DC, how can I do that?
Try running DCpromo
qubiacAuthor Commented:
It seems like if my secondary DC is in a "between-state", with other words, my primary DC do not have any secondary DC and my secondary DC still belives that it is an DC.
Running dcpromo makes my secondary DC to try to remove the AD on itself, but I get "The specified domain either does not exist or could not be contacted" so it seems that it is an DNS error, or what do you think?
qubiacAuthor Commented:
I still get errors.... I ficed the DNS, I think.
And running dcpromo gives me the following error

The operation failed because:

The Directory Service failed to replicate off changes made locally.

"The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). "
How many DCs do you have?  Who hold the schema masters?
qubiacAuthor Commented:
I have 2 DC:s. My primary DC holds it
qubiacAuthor Commented:
I have 2 DC:s. My primary DC holds it
Remove AD from the secondary, let the normal replication period pass, 15 minutes, then run DCPROMO to put a replica back on it.
qubiacAuthor Commented:
How can I remove the AD on the secondary DC.
When I run dcpromo to remove AD on the secondary DC it wants to connect to the primary DC first and that´s where it fails currently.
Are there other ways to remove AD on a server?
qubiacAuthor Commented:
What do you think about this approach?

If the demotion failed, you can try the brute force approach:
1. Use Regedt32 to navigate to:


2. Edit the ProductType value name and change the data value from LanmanNT to ServerNT, using the exact case.

3. Shutdown and restart the server.

4. Delete the NTDS folder.
You also have to make sure that you know the local admin account password.  When the system comes back up, remove it from the domain.  Delete the computer account from AD.  Then rejoin the domain.  At that point you should be able to run DCPROMO successfully.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
qubiacAuthor Commented:

Problem solved with ADSIEdit and DCPROMO and some restarts.
Deleted the information about the secondary DC n the first DC, then I ran ADSIEdit and removed all info about the secondary DC. Hacked the registry on the secondary DC to make it an ordinary server instead of an DC server.
Used DCPROMO to rejoin the domain.

Worked like a charm.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.