Link to home
Start Free TrialLog in
Avatar of TSI-WLV
TSI-WLVFlag for United States of America

asked on

FSMO roles out of order after domain controller rebuild.

We had one of our Windows 2000 Advanced Server domain controllers go down along with the mirror of the drive. So I reinstalled everything from scratch and made it a DC again. We have 2 backup DCs as well. Now I am getting Event ID 16650 SAM errors every couple of minutes that says:

“The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.”

I think what the problem is that this DC which was the first DC in the domain as far as I know had the FSMO roles on it. After making it a DC after the installation it has assumed the FSMO roles again and I cant transfer them to another DC. When I try it says:
 “The transfer of the operations master role cannot be performed because: The requested FSMO operation failed. The current FSMO holder could not be contacted.

In the Directory Service log I get an Event ID 1586 (NTDS Replication) error that says:
The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: The naming context is in the process of being removed or is not replicated from the specified server.

How do I get the FSMO roles to another DC and if I can should I demote the redone DC and then reinstall Active Directory? Then would I put the FSMO roles back on it? I cant even edit the domain group policy from any server etc.
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TSI-WLV

ASKER

When you say the dead DC can never come back onto the network after this operation without a complete rebuild does that mean I have to reinstal Windows again? Cant I demote it and then promote it again?

It looks like the roles transferred over after I siezed them

If you already rebuilt it then there's no need to rebuild it again.

However, if you bring it online without it being rebuilt after seizing the roles the domain will argue about who really has them.

Chris
Avatar of TSI-WLV

ASKER

I rebooted the rebuilt one which is still a DC. It was running as a DC when I siezed the roles on the other DC. The rebuit DC does not have the roles anymore and I can open Group Policy which I couldnt before. Do you think it will be ok as is? There are no errors in Event Viewer anymore.
Avatar of TSI-WLV

ASKER

Plus would it be ok to put the FSMO roles back on the rebuit DC since that is where ther were before or should I leave it as is? The reason I ask is the backup DC is more likely to go down than the rebuilt DC since its only used for authentication and the backup is used for file storage and other purposes.

Yep, it's fine to put them back to the original. AD doesn't see them as the same machine, it gets brand new IDs so it won't conflict.

I'd advise you make all your DCs Global Catalog servers if they aren't already.

Chris
Avatar of TSI-WLV

ASKER

It looks like everything is working now. Thanks for the help!

You're welcome :)

Chris