Solved

Error when creating user acount

Posted on 2016-09-01
8
76 Views
Last Modified: 2016-09-15
Hi Guys

we have 2 domain controllers, which gave us some issues, mainly replication. Because team did a snapshot restore of month old and the other dc was not restored too at same time so this kinda messed up the server!

So we have turned off replication for now and working just off one server which hosts all the 5 FSMO roles and always did.

But one issue we having is when we create a user account we get below error

Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

even though that DC is the RID master.

any ideas what i can do? its a live dc and the only one so cant afford to do much changes and restart unless out of hours.
0
Comment
Question by:Sundeep V
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 

Author Comment

by:Sundeep V
ID: 41779556
Please find attached dcdiag tests
DC1.txt
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41780160
The problem seems to be the unary role "RID Master" is hosted by the sole DC thats operational, but that DC does not consider it valid.  See this portion of the error in the DCDiag output:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

            Operations which require contacting a FSMO operation master will fail until this condition is corrected.

            FSMO Role: CN=RID Manager$,CN=System,DC=group,DC=dc,DC=eu

            User Action:

            1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.

            2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.

            3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

I would try siezing the roles again for starters.  Also, it would be wise to completely power down the other server so clients arent using it
0
 

Author Comment

by:Sundeep V
ID: 41780165
Do i need to seize all roles or just the RID one? also any site with documentation on how to perform them role seizure?
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 6

Accepted Solution

by:
sAMAccountName earned 500 total points
ID: 41780203
Sieze them all.  There is no sense in keeping them on the other server - you should be working toward abandoning it and rebuilding it anew.

Powershell for this is here:  (borrowed from technet for simplicity Move FSMO roles )

Move-ADDirectoryServerOperationMasterRole -Identity "DC1" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

Open in new window

0
 

Author Comment

by:Sundeep V
ID: 41781363
When you say other server, the server i am talking about already houses all the FSMO roles, its not on the other server and never was. Thats whats bugging me. Do i still need to seize all as above?
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41788516
Yes.  Go through the process of siezing them again.  if it fails, it will harm nothing but if it succeeds, you may fix a major part of the problem.
0
 

Author Comment

by:Sundeep V
ID: 41789176
great thanks did that and it worked, but created another problem so will create another question for that
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41799956
Can you link the other question?  Im curious...
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In-place Upgrading Dirsync to Azure AD Connect
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question