Solved

Error when creating user acount

Posted on 2016-09-01
8
65 Views
Last Modified: 2016-09-15
Hi Guys

we have 2 domain controllers, which gave us some issues, mainly replication. Because team did a snapshot restore of month old and the other dc was not restored too at same time so this kinda messed up the server!

So we have turned off replication for now and working just off one server which hosts all the 5 FSMO roles and always did.

But one issue we having is when we create a user account we get below error

Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

even though that DC is the RID master.

any ideas what i can do? its a live dc and the only one so cant afford to do much changes and restart unless out of hours.
0
Comment
Question by:Sundeep V
  • 4
  • 4
8 Comments
 

Author Comment

by:Sundeep V
ID: 41779556
Please find attached dcdiag tests
DC1.txt
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41780160
The problem seems to be the unary role "RID Master" is hosted by the sole DC thats operational, but that DC does not consider it valid.  See this portion of the error in the DCDiag output:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

            Operations which require contacting a FSMO operation master will fail until this condition is corrected.

            FSMO Role: CN=RID Manager$,CN=System,DC=group,DC=dc,DC=eu

            User Action:

            1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.

            2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.

            3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

I would try siezing the roles again for starters.  Also, it would be wise to completely power down the other server so clients arent using it
0
 

Author Comment

by:Sundeep V
ID: 41780165
Do i need to seize all roles or just the RID one? also any site with documentation on how to perform them role seizure?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 6

Accepted Solution

by:
sAMAccountName earned 500 total points
ID: 41780203
Sieze them all.  There is no sense in keeping them on the other server - you should be working toward abandoning it and rebuilding it anew.

Powershell for this is here:  (borrowed from technet for simplicity Move FSMO roles )

Move-ADDirectoryServerOperationMasterRole -Identity "DC1" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

Open in new window

0
 

Author Comment

by:Sundeep V
ID: 41781363
When you say other server, the server i am talking about already houses all the FSMO roles, its not on the other server and never was. Thats whats bugging me. Do i still need to seize all as above?
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41788516
Yes.  Go through the process of siezing them again.  if it fails, it will harm nothing but if it succeeds, you may fix a major part of the problem.
0
 

Author Comment

by:Sundeep V
ID: 41789176
great thanks did that and it worked, but created another problem so will create another question for that
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41799956
Can you link the other question?  Im curious...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question