Recovering Active Directory

rudejoe used Ask the Experts™
I just recovered my main Windows 2000 domain controller into a test environment to test my disaster recovery procedures.   I have two domain controllers in my live environment, but this server holds all of the FSMO roles. I used Arcserve 9.0 to recover the server onto a new box and restore the active directory with an authorative restore.  The problem I am encountering now is that I keep getting an event id 16650.  I've searched the web and found instructions to add authenticated users and another group to the local security policy, but that does not seem to correct the problem.  Although I am recovering in a test environment,  I'd like to ensure that in the event of a real disaster, I would be able to restore both of my domain controllers and have them sync up and continue to provide authentication to the domain.  Any advice would be greatly appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Well, try this. When you take the system down that has all the FSMO roles it would be a good idea to sieze the roles to the other domain box. Then reload the box you took down and do the authoritative restore. The error might be that one of the roles has not come back correctly after the restore. The infrastucture master cannot be on the same server as the global catalog.

The problem is most likely due to the RID master not initializing properly. Since you are in a test environment you can seize the role. NOTE: Once you do this do not allow this machine back on your production network until it has been blown away and re-built.

 Infrastructure Master and all other roles CAN be on the same box. Think about it... If it was not allowed you couldn't build your first/only DC, you'd have nowhere else for the role to reside until you built the second DC.
Well its not like it can't be set up that way but it may not work properly if they are on the same box since infastructure looks at the global catalog if it doesnt have what it is looking for. If you only have one box thats kinda stupid for redundancy purposes. Two boxes would be great for redundancy and quicker logon times for users. It is possible to seize the roles in a test environment. Each role is still given out no matter the environment.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.


Thanks for the advice.  I've included the exact error message in this message:

Event it: 16650

The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.

There are no other related messages in the event log.  My one concern with seizing the roles, is that I have another domain controller on the network which houses some key files and applications which would also need to restored in the event of a total disaster.  If I were to seize the roles, I would not be able to restore this machine in it's entirety.  I would be forced to do a partial restore and then I would have to re-install the applications.

Are there any other things I should be looking for or any other steps I should take before seizing the roles?

Thanks for all the great advice!

In your test, does the other DC hold any of the FSMO roles? Is it up and running? Can you dcpromo it down, get the first box up and running with AD ( by seizing the roles if necessary), then dcpromo the box back up? What other apps are involved? E2K, SQL?


In my test environment, I've only restored this one server, but this server holds all of the roles in the production environment.  I don't have another spare box to restore the other DC for testing purposes, but I want to ensure that in the event of a total disaster I would be able to restore both servers.  As for other apps involved,  I am not running E2K or SQL on any of the DCs, but I do have ADP software installed, Pervasive SQL 2000, and Synergy installed.  None of these programs utilize AD.  Do you think this error I am getting could be the result of the way that I restored the machine?

I initially installed this machine as a standalone Win2K box with the same name as the production server.  I then installed Arcserve 9.0.  I restored the drives and the active state, then I restarted the machine in active directory recovery mode and restored the active state once again in authoritive mode.


I am having the same problem, any luck with this?


I haven't found any work around yet.  If there is an existing Domain Controller already on the network it seems to synch up and resolve the problem.
Trouble is I am testing for our disaster recovery site and at the moment there will only be one DC there. try this fix I found, I havent tested it yet but it sounds promising. and is consistent with the problem we are both having ie one DC in a Lab environment.

During our testing of recoverying the AD from a total disaster, we too had this similar issue.  We contacted a Microsoft PSS person and he provided us with the following answer.  This is a direct quote from the response.  We executed the steps and the RID initialized with no problem.  

In addition, we did do other Metadata Cleanup steps such as removing DCs we were not going to bring online and removing the DCs from AD Sites and Services.  

Hope this helps...

"Restoring a DC invalidates it RID pool. After SRP1 there is a requirement for a restored RID master to sync with another DC in it's own domain before bringing the RID master role on line. It can be any DC in the entire domain.

This senario usually will only happen in a LAB as usually there will be another DC in a production domain available. If the only DC in the domain is restored there will be no replica links so the RID Master will come on line

To fix the issue you can do one of 2 things.

1. Restore a second DC for the RID master to sync with.

2. Delete all of the replica links with repadmin. The syntax is:

repadmin /delete CN=Schema,CN=Configuration,DC=domainname,DC=com <restored server name> <guid-based-dns-name of replica partner> /localonly

The easiest way to get the guid-based dns name is to use repadmin /showreps /v  first, where it will be displayed.

You have to delete the links for all naming contexts."
What I have already done but need to wait and test tomorrow after a backup runs is transfered the RID master to another DC in the live environment and after I restore the server in the test environment i should be able to seize the RID master role. Not sure if it will work but its worth a shot.

I have tried the fix above but I keep getting a message saying 'the naming context specified for this replication operation is invalid' maybe I am typing it in wrong but i cant seem to get it to work

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial