Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Error when creating user acount

Posted on 2016-09-01
8
Medium Priority
?
112 Views
Last Modified: 2016-09-15
Hi Guys

we have 2 domain controllers, which gave us some issues, mainly replication. Because team did a snapshot restore of month old and the other dc was not restored too at same time so this kinda messed up the server!

So we have turned off replication for now and working just off one server which hosts all the 5 FSMO roles and always did.

But one issue we having is when we create a user account we get below error

Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

even though that DC is the RID master.

any ideas what i can do? its a live dc and the only one so cant afford to do much changes and restart unless out of hours.
0
Comment
Question by:Sundeep V
  • 4
  • 4
8 Comments
 

Author Comment

by:Sundeep V
ID: 41779556
Please find attached dcdiag tests
DC1.txt
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41780160
The problem seems to be the unary role "RID Master" is hosted by the sole DC thats operational, but that DC does not consider it valid.  See this portion of the error in the DCDiag output:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

            Operations which require contacting a FSMO operation master will fail until this condition is corrected.

            FSMO Role: CN=RID Manager$,CN=System,DC=group,DC=dc,DC=eu

            User Action:

            1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.

            2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.

            3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

I would try siezing the roles again for starters.  Also, it would be wise to completely power down the other server so clients arent using it
0
 

Author Comment

by:Sundeep V
ID: 41780165
Do i need to seize all roles or just the RID one? also any site with documentation on how to perform them role seizure?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 6

Accepted Solution

by:
sAMAccountName earned 2000 total points
ID: 41780203
Sieze them all.  There is no sense in keeping them on the other server - you should be working toward abandoning it and rebuilding it anew.

Powershell for this is here:  (borrowed from technet for simplicity Move FSMO roles )

Move-ADDirectoryServerOperationMasterRole -Identity "DC1" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

Open in new window

0
 

Author Comment

by:Sundeep V
ID: 41781363
When you say other server, the server i am talking about already houses all the FSMO roles, its not on the other server and never was. Thats whats bugging me. Do i still need to seize all as above?
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41788516
Yes.  Go through the process of siezing them again.  if it fails, it will harm nothing but if it succeeds, you may fix a major part of the problem.
0
 

Author Comment

by:Sundeep V
ID: 41789176
great thanks did that and it worked, but created another problem so will create another question for that
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41799956
Can you link the other question?  Im curious...
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question