Solved

Request for new account identifier pool failed

Posted on 2010-11-28
9
1,299 Views
Last Modified: 2012-05-10
Hi,

Having major issues with my setup. I have the following on my network (all machines are hyper v vms on the same physical host)

2 domain controllers (dc1 & dc2) - Windows 2008 R2

I had ran a script to create 400+ users in our active directory, it created about 200 before it started giving errors stating that there are no more account identifier pools available. I've been searching on the web but am unable to find a fix. I had lots of errors so I disabled then re-enabled the VM time sync for each guest os, which reduced some errors and now users can login. However I'm still gettings lots of errors in dcdiag. Any help is much appreciated. Here's the output of dcdiag:


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = dc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\DC1

      Starting test: Connectivity

         ......................... DC1 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\DC1

      Starting test: Advertising

         ......................... DC1 passed test Advertising

      Starting test: FrsEvent

         ......................... DC1 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC1 passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x8000051C

            Time Generated: 11/28/2010   11:16:13

            Event String:

            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.


         A warning event occurred.  EventID: 0x8000082C

            Time Generated: 11/28/2010   11:27:12

            Event String:


         ......................... DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC1 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,DC1] A recent replication attempt failed:

            From DC2 to DC1

            Naming Context: DC=ForestDnsZones,DC=example,DC=com

            The replication generated an error (1908):

            Could not find the domain controller for this domain.

            The failure occurred at 2010-11-28 11:11:57.

            The last success occurred at 2010-11-03 01:50:19.

            613 failures have occurred since the last success.

            Kerberos Error.

            A KDC was not found to authenticate the call.

            Check that sufficient domain controllers are available.

         [Replications Check,DC1] A recent replication attempt failed:

            From DC2 to DC1

            Naming Context: DC=DomainDnsZones,DC=example,DC=com

            The replication generated an error (8456):

            The source server is currently rejecting replication requests.

            The failure occurred at 2010-11-28 11:14:53.

            The last success occurred at 2010-11-03 01:50:19.

            623 failures have occurred since the last success.

            Replication has been explicitly disabled through the server

            options.

         [Replications Check,DC1] A recent replication attempt failed:

            From DC2 to DC1

            Naming Context: CN=Schema,CN=Configuration,DC=example,DC=com

            The replication generated an error (1908):

            Could not find the domain controller for this domain.

            The failure occurred at 2010-11-28 11:11:57.

            The last success occurred at 2010-11-03 01:50:19.

            608 failures have occurred since the last success.

            Kerberos Error.

            A KDC was not found to authenticate the call.

            Check that sufficient domain controllers are available.

         [Replications Check,DC1] A recent replication attempt failed:

            From DC2 to DC1

            Naming Context: CN=Configuration,DC=example,DC=com

            The replication generated an error (1908):

            Could not find the domain controller for this domain.

            The failure occurred at 2010-11-28 11:11:57.

            The last success occurred at 2010-11-03 01:50:19.

            610 failures have occurred since the last success.

            Kerberos Error.

            A KDC was not found to authenticate the call.

            Check that sufficient domain controllers are available.

         [Replications Check,DC1] A recent replication attempt failed:

            From DC2 to DC1

            Naming Context: DC=example,DC=com

            The replication generated an error (8456):

            The source server is currently rejecting replication requests.

            The failure occurred at 2010-11-28 11:13:03.

            The last success occurred at 2010-11-03 02:32:26.

            612 failures have occurred since the last success.

            Replication has been explicitly disabled through the server

            options.

         ......................... DC1 failed test Replications

      Starting test: RidManager

         ......................... DC1 passed test RidManager

      Starting test: Services

         ......................... DC1 passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 11/28/2010   10:46:13

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x0000000C

            Time Generated: 11/28/2010   10:46:48

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 11/28/2010   10:46:50

            Event String:

            Name resolution for the name 10.in-addr.arpa timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 11/28/2010   10:48:51

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/dc1.example.com; WSMAN/dc1.


         An error event occurred.  EventID: 0x00004105

            Time Generated: 11/28/2010   10:56:33

            Event String:

            The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

         An error event occurred.  EventID: 0x0000410B

            Time Generated: 11/28/2010   10:56:33

            Event String:

            The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is


         An error event occurred.  EventID: 0x0000041E

            Time Generated: 11/28/2010   10:56:54

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 11/28/2010   11:01:54

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         An error event occurred.  EventID: 0x0000041E

            Time Generated: 11/28/2010   11:06:54

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 11/28/2010   11:11:11

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 11/28/2010   11:11:19

            Event String:

            Name resolution for the name _ldap._tcp.dc._msdcs.example.com timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 11/28/2010   11:12:14

            Event String:

            A timeout was reached (30000 milliseconds) while waiting for the Active Directory Web Services service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 11/28/2010   11:12:14

            Event String:

            The Active Directory Web Services service failed to start due to the following error:


         A warning event occurred.  EventID: 0x0000000C

            Time Generated: 11/28/2010   11:12:20

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         A warning event occurred.  EventID: 0x00000090

            Time Generated: 11/28/2010   11:12:36

            Event String:

            The time service has stopped advertising as a good time source.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 11/28/2010   11:14:23

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/dc1.example.com; WSMAN/dc1.


         ......................... DC1 failed test SystemLog

      Starting test: VerifyReferences

         ......................... DC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : example

      Starting test: CheckSDRefDom

         ......................... example passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... example passed test CrossRefValidation

   
   Running enterprise tests on : example.com

      Starting test: LocatorCheck

         ......................... example.com passed test LocatorCheck

      Starting test: Intersite

         ......................... example.com passed test Intersite

0
Comment
Question by:rcs81
  • 6
  • 3
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34226025
What errors are you seeing in your logs

These boxes haven't replicated in about a month now and you are getting the    

The source server is currently rejecting replication requests.

That is why I was asking about the events.   Did you restore this box from an image?

Thanks

Mike
0
 
LVL 1

Author Comment

by:rcs81
ID: 34226112
Hi Mike,

I didn't restore from an image. The reason they didn't replicate was because I had powered off dc2 for about 20 days, I needed to free up memory on the hyper v host for a side project. So yesterday I finished my side project, took down that vm and started dc2 backup. Everything was working fine on DC1 about two days ago, just yesterday I started having issues when trying to create the 400+ users.
I'd also like to mention that if I delete a user from dc1 this user also gets removed from dc2 doesn't that mean that replication IS working?

Here are some events from the event log on DC1:
Level: Error
Date & Time: 11/28/2010 1:12PM
Source: GroupPolicy
EventID: 1054
General:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller.  This could be caused by a name resolution failure. Verify your Domain Name System is configured and working correctly.

Level: warning
Date & time: 11/28/2010 1:12PM
Source: ActiveDirectory_DomainService

This server is the onwer of the following FSMO role, but does not consider it valid.  For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted.  Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=RID Manager$,CN=System,DC=example,DC=com

Thanks
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34226426
You can run repadmin /showrepl to verify replication from both dcs.

Are you seeing any DNS errors?  How is DNS setup?

Thanks

Mike
0
 
LVL 1

Author Comment

by:rcs81
ID: 34226935
I dont see any DNS errors. DNS was setup using the default settings when we ran dcpromo.

FYI -none of my users are able to login now. Not sure what changed.

I'll get the output from repadmin / showrepl  and post shortly
0
 
LVL 1

Author Comment

by:rcs81
ID: 34227083
Here's the output from repdadmin / showrepl



Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\DC1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: ad86ead9-ae56-4a49-a08e-21c382c4c05e

DSA invocationID: ad86ead9-ae56-4a49-a08e-21c382c4c05e



==== INBOUND NEIGHBORS ======================================



DC=example,DC=com

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 486c82f5-d0f2-49fb-8d14-2310ac13f500

        Last attempt @ 2010-11-28 16:56:04 failed, result 8456 (0x2108):

            The source server is currently rejecting replication requests.

        619 consecutive failure(s).

        Last success @ 2010-11-03 02:32:26.



CN=Configuration,DC=example,DC=com

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 486c82f5-d0f2-49fb-8d14-2310ac13f500

        Last attempt @ 2010-11-28 16:56:04 failed, result 8456 (0x2108):

            The source server is currently rejecting replication requests.

        616 consecutive failure(s).

        Last success @ 2010-11-03 01:50:19.



CN=Schema,CN=Configuration,DC=example,DC=com

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 486c82f5-d0f2-49fb-8d14-2310ac13f500

        Last attempt @ 2010-11-28 16:56:04 failed, result 8456 (0x2108):

            The source server is currently rejecting replication requests.

        614 consecutive failure(s).

        Last success @ 2010-11-03 01:50:19.



DC=DomainDnsZones,DC=example,DC=com

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 486c82f5-d0f2-49fb-8d14-2310ac13f500

        Last attempt @ 2010-11-28 16:56:04 failed, result 8456 (0x2108):

            The source server is currently rejecting replication requests.

        631 consecutive failure(s).

        Last success @ 2010-11-03 01:50:19.



DC=ForestDnsZones,DC=example,DC=com

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 486c82f5-d0f2-49fb-8d14-2310ac13f500

        Last attempt @ 2010-11-28 16:56:04 failed, result 8456 (0x2108):

            The source server is currently rejecting replication requests.

        619 consecutive failure(s).

        Last success @ 2010-11-03 01:50:19.



Source: Default-First-Site-Name\DC2

******* 631 CONSECUTIVE FAILURES since 2010-11-03 02:32:26

Last error: 8456 (0x2108):

            The source server is currently rejecting replication requests.



Thanks
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34227261
Are you seeing any of these Event IDs:  1388, 1988, 2042

Thanks

Mike
0
 
LVL 1

Author Comment

by:rcs81
ID: 34227420
No I dont see any of those event ids

Thanks,
0
 
LVL 1

Accepted Solution

by:
rcs81 earned 0 total points
ID: 34670291
Moderator,

Please close out this question. I ended up re-building the environment.

Thanks!
0
 
LVL 1

Author Closing Comment

by:rcs81
ID: 34794073
Re-installed new DC, removed old one.
0

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now