Failed RidMaster

We got 3 domain controllers (2008 and 2008R2) where one hold all fsmo roles exept the Infrastructure Master.
If we create a new account in Active Directory we get the error "The direcotry service has exhausted the pool of relative identifiers". We get this error on all domain controllers
i ran dc diag and discoverd that the RID Manager role failed whit  " The DS has corrupt data: rIDAvailablePool value is not valid"

i tried to seize the role, but it didn't need seizing.
i removed some  old entries of long long long retired domain controllers
tried to setup new domain whit trust but again identifiers error on making a trust

any suggestions are welcome.

Thanks Robin
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
OK, this generally means that the RID Master role is not available.  You need to run a DCDIAG to check out the health of your AD infrastructure.  Run the following command from a command prompt:

** you should be in the enterprise admin group to execute this **

1. logon to one of the functioning DCs
2. open a command prompt
3. at the prompt, run:  dcdiag /e /v > dcdiag.txt

This will save the output of the command into a file called dcdiag.txt.

While you are on the above server, I would run this command as well:

from the same command prompt, run:  netdom query /domain:YourDomain.Name /fsmo

Posting the output of the 2 commands will help troubleshoot the issue.

Radhakrishnan RSenior Technical LeadCommented:

As per the error, it appears that the RID pool has excausted? to just verify whether you have enough RID pool, follow the steps;

In the command prompt;

Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"

It will give the following results;

 * Available RID Pool for the Domain is 2100 to 1073741823

Once you confirmed that the DC has got enough RID pool's then apply this hotfix onto the server

I hope this resolve the issue.
HC-ICTAuthor Commented:
Hi Dan

Thanks for your reply

i have attached the DCDIAG as requested.

below my fsmo query

C:\Users\Administrator>netdom query / fsmo
Schema master       
Domain naming master
RID pool manager  
Infrastructure master

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

HC-ICTAuthor Commented:
Hi hakrishnan

Your command does not give me any output..whitout the pipe i have:

Starting test: RidManager
   The DS has corrupt data: rIDAvailablePool value is not valid
   ......................... DC-01 failed test RidManager
Radhakrishnan RSenior Technical LeadCommented:
Did you applied the update and rebooted the server?. I think you are going to end up with demote and promote after seizing the role to different server.
HC-ICTAuthor Commented:
Hi Radhakrishnan

No i did not apply the hotfix because i did not get confirmd i have enough RID pools

My RID Manager has corrupted data. So i guess i don't have pools at all.

You think the hotfix wil fix my data cause i can't get that verified from the KB?
Dan McFaddenSystems EngineerCommented:
You are getting the following events in your event log:

Event ID 16644 — RID Pool Request
** the event was in the dcdiag output. as the following:

Starting test: SystemLog

* The System Event log test
   An Error Event occurred.  EventID: 0x00004104

    Time Generated: 06/11/2015   10:29:47
    Event String:
            The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain.

    ......................... DC-03 failed test SystemLog

*** This "EventID: 0x00004104" is "EventID 16644"

All 3 DCs are reporting a corrupt RID Pool value.

The DS has corrupt data: rIDAvailablePool value is not valid

Unfortunately this is a fatal error.  Here is the description of the issue from Microsoft:


Basically you need to build a new domain and migrate all devices over then decommission the old structure.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Radhakrishnan RSenior Technical LeadCommented:

The hotfix meant for preventing RID excausted and small RID related issues but this doesn't mentioned anything  about "The DS has corrupt data: rIDAvailablePool value is not valid". This indicates that you have reached that stage and can't be useful here.

My suggestion would be log a support case with MS, i assume they may suggest something or ask you to create a new forest and migrate the data as I have seen it before and the MS solution was similar kind of that. I hope your issue won't go till that end. However, best approach would be MS.

Dan McFaddenSystems EngineerCommented:
Dan McFaddenSystems EngineerCommented:
Unfortunately the resolution is straight up...  You need to build a new Active Directory Forest and migrate everything over.  This is what you will hear from Microsoft.

Unless you have a support contract with Microsoft, getting a response will be expensive.

HC-ICTAuthor Commented:
Hi Dan and Radhakrishnan

thanks for both of your help, i have came acrossed some of the links and suggestions you have posted. And the sollution what came out is the thing i was affraid of.

thing is i have tried to set up a new forrest and domain, but i'm not able to make a trust cause of this. Whit an  running exchange inviorment on the old domain .... its pretty messed up.

any way.

If you have some good suggestions to migratie to new domain whitout a trust and migrate exchange to that domain its very welcome!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.