Error when creating user acount

Posted on 2016-09-01
Last Modified: 2016-09-15
Hi Guys

we have 2 domain controllers, which gave us some issues, mainly replication. Because team did a snapshot restore of month old and the other dc was not restored too at same time so this kinda messed up the server!

So we have turned off replication for now and working just off one server which hosts all the 5 FSMO roles and always did.

But one issue we having is when we create a user account we get below error

Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

even though that DC is the RID master.

any ideas what i can do? its a live dc and the only one so cant afford to do much changes and restart unless out of hours.
Question by:Sundeep V
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4

Author Comment

by:Sundeep V
ID: 41779556
Please find attached dcdiag tests

Expert Comment

ID: 41780160
The problem seems to be the unary role "RID Master" is hosted by the sole DC thats operational, but that DC does not consider it valid.  See this portion of the error in the DCDiag output:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

            Operations which require contacting a FSMO operation master will fail until this condition is corrected.

            FSMO Role: CN=RID Manager$,CN=System,DC=group,DC=dc,DC=eu

            User Action:

            1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.

            2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.

            3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on

I would try siezing the roles again for starters.  Also, it would be wise to completely power down the other server so clients arent using it

Author Comment

by:Sundeep V
ID: 41780165
Do i need to seize all roles or just the RID one? also any site with documentation on how to perform them role seizure?
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Accepted Solution

sAMAccountName earned 500 total points
ID: 41780203
Sieze them all.  There is no sense in keeping them on the other server - you should be working toward abandoning it and rebuilding it anew.

Powershell for this is here:  (borrowed from technet for simplicity Move FSMO roles )

Move-ADDirectoryServerOperationMasterRole -Identity "DC1" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

Open in new window


Author Comment

by:Sundeep V
ID: 41781363
When you say other server, the server i am talking about already houses all the FSMO roles, its not on the other server and never was. Thats whats bugging me. Do i still need to seize all as above?

Expert Comment

ID: 41788516
Yes.  Go through the process of siezing them again.  if it fails, it will harm nothing but if it succeeds, you may fix a major part of the problem.

Author Comment

by:Sundeep V
ID: 41789176
great thanks did that and it worked, but created another problem so will create another question for that

Expert Comment

ID: 41799956
Can you link the other question?  Im curious...

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Here's a look at newsworthy articles and community happenings during the last month.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question