Avatar of ajdratch
ajdratch

asked on 

Active Directory can't create users. Error attribute rIdSetReferences missing

We put in two new server 2019 Domain Controllers to replace two 2008 R2 Domain Controllers.

The old DC that had the FSMO roles has been demoted and is off the network. We had problems getting AD removed but we eventually got all the issues cleared up and were able to properly remove AD from that server. Not sure this matters but there were errors trying to transfer the FSMO roles so we had to seize them.

The new DC named DC19-1 with all the FSMO roles and the remaining old DC are both working fine.

We can’t create a new user on the second new DC. We get the message:
Windows cannot create the object 2 because:
The directory service was unable to allocate a relative identifier.

We brought up a third 2019 server and made it a DC and it gets the same error message when trying to create a new user.

We can still add users on the old 2008 R2 DC

Results from dcdiag /test:ridmanager /v
      Starting test: RidManager
         * Available RID Pool for the Domain is 18606 to 1073741823
         * DC19-1.Domain.com is the RID Master
         * DsBind with RID Master was successful
         Warning: attribute rIdSetReferences missing from CN=DC19-1,OU=Domain Controllers,DC=Domain,DC=com
         Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
DC19-2 failed test RidManager

Anyone know how to fix this?
Active Directory

Avatar of undefined
Last Comment
ajdratch
Avatar of arnold
arnold
Flag of United States of America image

Were the master roles seized from the demoted 2008?
Double check using ntdsutils tool who has the master role according to each.
Or dcdiag .

Did you restore AD or a DC server from backup?

https://www.tek-tips.com/viewthread.cfm?qid=1341155

Unraveling what the issue is first.
When you add to the 2008, does it appear on the 2019?
Avatar of ajdratch
ajdratch

ASKER

All FSMO roles were seized from the old 2008 DC to the new 2019 DC. After that the Old DC was demoted and is now offline
All DC's show the new 2019 DC holds all FSMO roles
Did not restore AD or DC from backup
The users I add on the the 2008 DC do show up in all three 2019 DC

Avatar of arnold
arnold
Flag of United States of America image

You may have a profile issue. how are you adding users? powershell script, using ADUC on the 2019 server? or using RSAT remote from workstation?
Retarget to the domain controller and see if it makes a difference.

RODC?
use DCDIAG /v to report on the state of the AD.
what does the

Was the metadata cleaned up to remove the old DC?
nslookup -q=srv _ldap._tcp.dc._msdcs.youraddomain.com

Is the old DC still in the list?
Avatar of ajdratch
ajdratch

ASKER

Everything looks good when I ran nslookup -q=srv _ldap._tcp.dc._msdcs.youraddomain.com and DCDIAG /TEST:DNS /V /E

The old DC that was removed is not showing up

I ran DCdiag on a new 2019 DC DC19-2, not the one with FSMO roles which is DC19-1. Below are the errors

EventID: 0x80001396 The DFS Replication service is stopping communication with partner DC19-1 for replication group Domain System Volume due to an error.

EventID: 0xC000138A The DFS Replication service encountered an error communicating with partner DC19-1 for replication group Domain System Volume.

Error: 1753 (There are no more endpoints available from the endpoint mapper.)

 Starting test: RidManager
         * Available RID Pool for the Domain is 18606 to 1073741823
         * DC19-1.domain.com is the RID Master
         * DsBind with RID Master was successful
         Warning: attribute rIdSetReferences missing from
         CN=DC19-2,OU=Domain Controllers,DC=Domain,DC=com
         Could not get Rid set Reference :failed with 8481:
         The search failed to retrieve attributes from the database.

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is   " The requested FSMO operation failed. The current FSMO holder could not be contacted"



Avatar of arnold
arnold
Flag of United States of America image

what name servers are the new dcs pointing to? are they pointing to each other or the remaining 2008 or are they pointing at the old DC's iP?
Avatar of ajdratch
ajdratch

ASKER

They point to themselves but I did change one to point to the DC with FSMO roles and that did not help
Avatar of DrDave242
DrDave242
Flag of United States of America image

All evidence points to something being wrong with the DC that holds the RID Master role. You don't have any sort of security software on there that would be preventing the other DCs from connecting to it, do you? If not, check the Directory Services event log on that server for errors. Feel free to post anything you find.

Avatar of ajdratch
ajdratch

ASKER

These are the two errors showing in Directory Services log on the DC that holds the FSMO roles
Event ID 1977
The following directory service made a replication request for a writable directory partition that has been denied by the local directory service. The requesting directory service does not have access to a writable copy of this directory partition.
 Requesting directory service:
223ea3d8-2755-4f5d-a72a-dfd87d95e71f (DC19-2.domain.com)
Directory partition:
DC=domain,DC=com
 User Action
If the requesting directory service must have a writable copy of this partition, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes All access right.  You may also get this message during the transition period after a child partition has been removed. This message will cease when knowledge of the child partition removal has replicated throughout the forest.

Event 1699
This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
 Directory partition:
CN=RID Manager$,CN=System,DC=Domain,DC=com
Network address:
223ea3d8-2755-4f5d-a72a-dfd87d95e71f._msdcs.Domain.com
Extended request code:
2
 Additional Data
Error value:
8453 Replication access was denied.

The strange part to this is the old 2008 DC can still replicate to the new 2019 DC but none of the other 2019 DC's can replicate
Avatar of DrDave242
DrDave242
Flag of United States of America image

Can you run repadmin /showrepl * on that DC and post the results?

Avatar of ajdratch
ajdratch

ASKER

DC2008-2 is old DC. Never had FSMO Roles
DC19-1 is new DC with FSMO roles
DC19-2 and DC19-3 are new 2019 DC
I ran this on DC19-1

Repadmin: running command /showrepl against full DC DC2008-2.Domain.com
Default-First-Site-Name\DC2008-2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
DSA invocationID: a8b39b89-cdf4-45a1-9b6d-f9958ac5fd9c
==== INBOUND NEIGHBORS ======================================
DC=Domain,DC=com
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 13:05:57 was successful.
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 13:15:15 was successful.

CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 12:58:02 was successful.
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 12:58:02 was successful.

CN=Schema,CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 12:58:02 was successful.
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 12:58:02 was successful.

DC=ForestDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 12:58:02 was successful.
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 12:58:02 was successful.

DC=DomainDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 13:01:22 was successful.
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 13:01:28 was successful.

Repadmin: running command /showrepl against full DC DC19-2.Domain.com
Default-First-Site-Name\DC19-2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
DSA invocationID: 910a86f3-4d7d-43e3-856b-5e17f5e6ffe7

==== INBOUND NEIGHBORS ======================================

DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 13:14:59 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        12 consecutive failure(s).
        Last success @ 2021-04-28 13:05:44.
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 13:14:59 was successful.

CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 12:59:14 was successful.
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 12:59:14 was successful.

CN=Schema,CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 12:59:14 was successful.
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 12:59:14 was successful.

DC=DomainDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 13:01:07 was successful.
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 13:01:40 was successful.

DC=ForestDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 12:59:14 was successful.
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 12:59:14 was successful.
Repadmin: running command /showrepl against full DC DC19-1.Domain.com
Default-First-Site-Name\DC19-1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
DSA invocationID: ec0ff707-f923-4bfa-872a-1b391e48e0d2

==== INBOUND NEIGHBORS ======================================

DC=Domain,DC=com
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 13:14:34 was successful.
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 13:15:12 was successful.

CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 12:55:12 was successful.
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 12:55:12 was successful.

CN=Schema,CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 12:55:12 was successful.
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 12:55:12 was successful.

DC=ForestDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 12:55:12 was successful.
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
       Last attempt @ 2021-04-28 12:55:12 was successful.

DC=DomainDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-28 13:01:25 was successful.
    Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-28 13:01:25 was successful.

Repadmin: running command /showrepl against full DC DC19-3.Domain.com
Default-First-Site-Name\DC19-3
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
DSA invocationID: e8cd52b8-7b75-451c-850c-b6fb89051848

==== INBOUND NEIGHBORS ======================================

DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 13:14:52 was successful.
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 13:15:05 was successful.

CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 12:58:57 was successful.
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 12:58:57 was successful.

CN=Schema,CN=Configuration,DC=Domain,DC=com
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 12:58:57 was successful.
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 12:58:57 was successful.

DC=ForestDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 12:58:57 was successful.
   Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 12:58:57 was successful.

DC=DomainDnsZones,DC=Domain,DC=com
    Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-28 13:01:10 was successful.
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 13:01:37 was successful.
Avatar of DrDave242
DrDave242
Flag of United States of America image

DC=Domain,DC=com
    Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-28 13:14:59 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        12 consecutive failure(s).
        Last success @ 2021-04-28 13:05:44.

That's pretty strange. DC19-2 is getting an RPC error when replicating from DC2008-2, but only for the domain naming context. Firewalls are a common cause of RPC errors, but that obviously wouldn't apply to only a single NC. The data in the domain NC should be synchronized in any case, though, since DC19-2 is able to replicate it from DC19-1*, which is able to replicate it from DC19-3, which is (finally) able to replicate it from DC2008-2. The data in that partition takes the scenic route to DC19-2, but it does get there.

*Well...maybe. The errors you posted indicate that DC19-2 had problems replicating the domain NC from DC19-1, but the repadmin output doesn't show that. I'm not sure which one is correct. Would you mind running the repadmin command again to see if anything's changed? The one failure had only been occurring for a short time the last time you ran it, so I'm curious if it was just some sort of transient issue.

Avatar of ajdratch
ajdratch

ASKER

Repadmin: running command /showrepl against full DC DC2008-2.Domain.com
Default-First-Site-Name\DC2008-2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
DSA invocationID: a8b39b89-cdf4-45a1-9b6d-f9958ac5fd9c
 
==== INBOUND NEIGHBORS ======================================
DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 08:21:40 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 08:21:57 was successful.
 
CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:58:06 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:58:06 was successful.
 
CN=Schema,CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:58:06 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:58:06 was successful.
 
DC=ForestDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:58:06 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:58:06 was successful.
 
DC=DomainDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:58:06 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:58:06 was successful.
 
Repadmin: running command /showrepl against full DC DC19-3.Domain.com
Default-First-Site-Name\DC19-3
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
DSA invocationID: 910a86f3-4d7d-43e3-856b-5e17f5e6ffe7
 
==== INBOUND NEIGHBORS ======================================
DC=Domain,DC=com
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 08:21:45 was successful.
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 08:21:59 was successful.
 
CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:45:27 was successful.
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:45:27 was successful.
 
CN=Schema,CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:45:27 was successful.
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:45:27 was successful.
 
DC=DomainDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:45:27 was successful.
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:45:27 was successful.
 
DC=ForestDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:45:27 was successful.
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:45:27 was successful.
 
Repadmin: running command /showrepl against full DC DC19-1.Domain.com
Default-First-Site-Name\DC19-1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
DSA invocationID: ec0ff707-f923-4bfa-872a-1b391e48e0d2
 
==== INBOUND NEIGHBORS ======================================
DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 08:21:37 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 08:21:54 was successful.
 
CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:55:17 was successful.
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:55:17 was successful.
 
CN=Schema,CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:55:17 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:55:17 was successful.
 
DC=ForestDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:55:17 was successful.
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:55:17 was successful.
 
DC=DomainDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-3 via RPC
        DSA object GUID: 223ea3d8-2755-4f5d-a72a-dfd87d95e71f
        Last attempt @ 2021-04-30 07:55:17 was successful.
     Default-First-Site-Name\DC19-2 via RPC
        DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
        Last attempt @ 2021-04-30 07:55:17 was successful.
 
 
 
Repadmin: running command /showrepl against full DC DC19-2.Domain.com
Default-First-Site-Name\DC19-2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: ebdd0714-5edc-4db9-930c-4a5888b0cb89
DSA invocationID: e8cd52b8-7b75-451c-850c-b6fb89051848
 
==== INBOUND NEIGHBORS ======================================
DC=Domain,DC=com
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 08:21:48 was successful.
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 08:21:56 was successful.
 
CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:59:47 was successful.
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:59:47 was successful.
 
CN=Schema,CN=Configuration,DC=Domain,DC=com
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:59:47 was successful.
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:59:47 was successful.
 
DC=ForestDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:59:47 was successful.
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:59:47 was successful.
 
DC=DomainDnsZones,DC=Domain,DC=com
     Default-First-Site-Name\DC19-1 via RPC
        DSA object GUID: 34a03902-af38-443d-843d-eef6dc2a3874
        Last attempt @ 2021-04-30 07:59:47 was successful.
     Default-First-Site-Name\DC2008-2 via RPC
        DSA object GUID: af8b6046-cf67-4c65-b6cb-013d7ad26041
        Last attempt @ 2021-04-30 07:59:47 was successful.
Avatar of DrDave242
DrDave242
Flag of United States of America image

OK, there are no replication problems at all now, according to repadmin. Has there been any change in the original issue, or do you still get the same error when trying to create a user?
Avatar of ajdratch
ajdratch

ASKER

I still can't create a user on the other 2019 DC

Windows cannot create the object test10 because:
The directory service was unable to allocate a relative identifier.




Avatar of DrDave242
DrDave242
Flag of United States of America image

Sorry I keep asking for command output, but can you run dcdiag /test:ridmanager /e /v and post the results? You should only have to run this once, from any DC, as the output should include results from all of them. You posted output earlier which showed that at least two DCs were missing the rIDSetReferences attribute, and I'm curious whether they still are now that replication is working.

Avatar of ajdratch
ajdratch

ASKER

Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine DC19-1, is a Directory Server.
   Home Server = DC19-1
   * Connecting to directory service on server DC19-1.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=Domain,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.
 
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=Domain,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DC2008-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC19-3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC19-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC19-1A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
 
   * Found 4 DC(s). Testing 4 of them.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC2008-2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
        Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... DC2008-2 passed test Connectivity
  
   Testing server: Default-First-Site-Name\DC19-3
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
          ......................... DC19-3 passed test Connectivity
 
  Testing server: Default-First-Site-Name\DC19-1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
          ......................... DC19-1 passed test Connectivity
   Testing server: Default-First-Site-Name\DC19-1A
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
          ......................... DC19-1A passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC2008-2
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
 
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Starting test: RidManager
 
         * Available RID Pool for the Domain is 18606 to 1073741823
         * DC19-1.Domain.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 7106 to 7605
         * rIDPreviousAllocationPool is 7106 to 7605
         * rIDNextRID: 7354
         ......................... DC2008-2 passed test RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas
   Testing server: Default-First-Site-Name\DC19-3
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Starting test: RidManager
 
         * Available RID Pool for the Domain is 18606 to 1073741823
         * DC19-1.Domain.com is the RID Master
         * DsBind with RID Master was successful
         Warning: attribute rIdSetReferences missing from
         CN=DC19-3,OU=Domain Controllers,DC=Domain,DC=com
         Could not get Rid set Reference :failed with 8481:
         The search failed to retrieve attributes from the database.
          ......................... DC19-3 failed test RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas
  
   Testing server: Default-First-Site-Name\DC19-1
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 18606 to 1073741823
         * DC19-1.Domain.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 18106 to 18605
         * rIDPreviousAllocationPool is 18106 to 18605
         * rIDNextRID: 18123
          ......................... DC19-1 passed test RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas
   
   Testing server: Default-First-Site-Name\DC19-1A
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 18606 to 1073741823
         * DC19-1.Domain.com is the RID Master
         * DsBind with RID Master was successful
         Warning: attribute rIdSetReferences missing from
         CN=DC19-1A,OU=Domain Controllers,DC=Domain,DC=com
         Could not get Rid set Reference :failed with 8481:
         The search failed to retrieve attributes from the database.
          ......................... DC19-1A failed test RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas
     Test omitted by user request: DNS
      Test omitted by user request: DNS
  
               Test omitted by user request: DNS
              Test omitted by user request: DNS         
           Test omitted by user request: DNS
            Test omitted by user request: DNS       
            Test omitted by user request: DNS
            Test omitted by user request: DNS  
   Running partition tests on : DomainDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation  
 
   Running partition tests on : ForestDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
 
   Running partition tests on : Schema
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   
  Running partition tests on : Configuration
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
  
   Running partition tests on : Domain
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   
   Running enterprise tests on : Domain.com
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite
Avatar of DrDave242
DrDave242
Flag of United States of America image

Was DC19-2 removed and replaced with DC19-1A, or are those the same server?

Avatar of ajdratch
ajdratch

ASKER

Sorry, they are the same server. To avoid confusion I have changed the names of the servers so they would make sense. I messed that one up. 
Avatar of DrDave242
DrDave242
Flag of United States of America image

Sorry; work interfered, as it often does.

I'm assuming you're currently able to create users on DC2008-2 and DC19-1, since both of them passed the RidManager test. Let's check to see if that rIDSetReferences attribute really is missing from the other two.

  1. Launch ADSI Edit (adsiedit.msc). You should be able to do this from any DC.
  2. From the Action menu, select Connect to...
  3. Make sure Default naming context is selected in the Select a well known Naming Context dropdown and click OK.
  4. In the left pane, expand Default naming context and the folder beneath it (which will have the distinguished name of your domain), and select OU=Domain Controllers beneath that.
  5. The middle pane should show a folder for each of your DCs. Right-click CN=DC19-1A and select Properties.
  6. Scroll down through the Attribute Editor tab and look for an attribute named rIDSetReferences. If you find one, its value should be CN=RID Set,CN=DC19-1A,OU=Domain Controllers,DC=<domain>,DC=<suffix>. I'm guessing it's either not going to be there at all (which will be very weird) or its value will be messed up somehow (which won't be quite as weird).

For now, just let me know what you see there. Feel free to check the folders representing the other DCs while you're in ADSI Edit. I suspect that DC2008-2 and DC19-1 will have a normal-looking rIDSetReferences attribute, while the others won't.

Avatar of ajdratch
ajdratch

ASKER

I think you found the problem
DC19-1 looks good CN=RID Set,CN=DC19-1....
DC2008 looks good CN=RID, Set,CNDC2008-2...
The other two DC are <Not set>
Should I change those to CN=RID Set,CN=DC19-2 and DC19-3

Avatar of ajdratch
ajdratch

ASKER

It's not possible to manually edit that attribute. How can I get that updated?
Avatar of ajdratch
ajdratch

ASKER

How can I get that attribute updated?
Avatar of DrDave242
DrDave242
Flag of United States of America image

I'm going to do some testing, and I'll get back to you.

Avatar of arnold
arnold
Flag of United States of America image

Something had to have transpired between the addition of this node and the demotion of the rid master/seizure of roles.

Is the issue on the system where the FSMO roles are now?

See if the following is helpful.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/event-16650-account-identifier-allocator-not-initialize
Avatar of ajdratch
ajdratch

ASKER

The DC with FSMO roles is working fine. The 2008 DC is also working fine. The only ones not working are new 2019 DC that I bring online
Avatar of ajdratch
ajdratch

ASKER

The link you sent said
If the rIDSetReferences attribute does not point to the distinguished name of the RID Set object, contact Microsoft Product Support Services for more information.

Is my only option to call MS Support?
Avatar of DrDave242
DrDave242
Flag of United States of America image

Is that RID Set object there on the two affected servers?

Avatar of arnold
arnold
Flag of United States of America image

you could make sure one of the functional clean systems has FSMO and the 2008
demote the DC in question. and then rejoin

Something went wrong when it was promoted to DC.
Avatar of ajdratch
ajdratch

ASKER

The 2019 server with FSMO roles is working fine. Two new 2019 DC are not working. I don't want to demote the 2008 until I have a 2019 DC server working. 
Avatar of arnold
arnold
Flag of United States of America image

I thought you indicated only one 2019 DC, this is the DC that needs to be demoted and rejoined.
Was it the first 2019 joined? It might be that there were issues that you resolved, then added the second and it seems fine.

Demote/rejoin the 2019 dc with issue which may resolve the issue with the issuing attribute.
Avatar of ajdratch
ajdratch

ASKER

I started with two 2008 R2 DC
I added one 2019 DC
I could not transfer FSMO Roles from 2008 to 2019 so I seized them
Now I had one 2019 DC with FSMO roles and two 2008 DC
I Demoted 2008 DC that had FSMO roles
At this point I had one 2019 DC and one 2008 DC. Everything is working
I added the second 2019 DC but I could not add users
I demoted and promoted that again and had the same problem
I added another 2019 server and made it a DC. Same problem. I could not add users
The value rlDSetReferences is empty on all new 2019 DC
I have removed and added AD on the 2019 DC and same problem.
I am stuck with one 2019 DC with FSMO roles and the one old 2008 DC working.
No new DC's work


Avatar of arnold
arnold
Flag of United States of America image

This does not make sense.
You had 2008r2 one had fsmo
You added a win2k19
Attempt to transfer failed in the normal flow, errors not whitstanding, you seized roles
While the wink8 that has the fsmo roles was still online
This not how it works. To seize, the DC must not be online ever after the seizure.
You may have to restart, reverifying the remaining 2008 ad DC dcdiag /v
transfer the role.
Double check forest/domain functional level make sure it is 2008 native.
Possibly go through with metadata cleanup using ntdsutils tool.

If you gave access, possibly get server 2016 and have it be an intermediate DC transition to 2019.

Your tests if you use the same name, you could inherit issues.
Avatar of DrDave242
DrDave242
Flag of United States of America image

If the actual RID Set objects are present on those two affected DCs and it's just the rIDSetReferences attribute that's missing, you may be able to update it by following these steps:

  1. Launch LDP (ldp.exe). Be aware that LDP is not user-friendly at all, but it is powerful. Be careful when making changes with it.
  2. From the Connection menu, click Connect.
  3. In the Server field, specify the IP address of your schema master and click OK. You'll see quite a bit of output. Hopefully it'll be good.
  4. From the Connection menu, click Bind.
  5. If you're logged into an account that's a member of the Schema Admins group, select Bind as currently logged on user. Otherwise, select Bind with credentials and specify the appropriate credentials. Click OK. The last line of the output should say Authenticated as '<your account>'.
  6. From the Browse menu, select Modify.
  7. Leave the DN field blank. Type schemaUpgradeInProgress in the Attribute field and in the Values field.
  8. Make sure Add is selected in the Operation section and click Enter. The entry list will update accordingly.
  9. Click Run. You won't see much output, but the last line should say Modified"". Leave the LDP window open.
  10. Launch ADSI Edit and attempt to set the rIDSetReferences attribute in the appropriate location. If this succeeds, set it in the location corresponding to the other affected DC.
  11. When you're done, go back to LDP and run steps 6-9 again but set the Attribute field to 0.

Let me know if this works.
Avatar of ajdratch
ajdratch

ASKER

That did not work. I still can't edit that field. 
Avatar of DrDave242
DrDave242
Flag of United States of America image

I've now tried every suggestion that I've run across, and I can't find a way to modify that attribute either. Can you check to make sure the two affected DCs aren't members of the Enterprise Read-Only Domain Controllers group?

Avatar of ajdratch
ajdratch

ASKER

They are not part of that group. I guess I need to go back to trying to figure out why that attribute does not get updated on a new DC
Avatar of arnold
arnold
Flag of United States of America image

by my count you have three DCs one 2008 and two 2019.
Demote the 2019 that is having the issue.
Decommission it. Cleanup metadata.
Install new 2019. Do not use the same name.
Add it to the domain, make it a DC and see if it has this issue.
Main thought if a faulty DC is on the network, new Dcs might contact it and replicate its error state.
Avatar of ajdratch
ajdratch

ASKER

That did not work either
Avatar of arnold
arnold
Flag of United States of America image

any new DC you add, automatically runs into a RID connection issue?
Can you confirm from each of your functional Dcs who has FSMO  roles?

on the 2019 that is functional, run powershell get-windowsfeature
and compare it to the one that you just added.

Lets try it this way, the 2019 that does work, was it added before the seizure of the FSMO roles? was it the one that siezed FSMO roles from the old 2008 DC that was still on the network?
Avatar of ajdratch
ajdratch

ASKER

Yes, any new DC has this problem.

All DC's see the the first 2019 server holding all FSMO roles. That server is the one that seized the FSMO roles from the old 2008 DC

The only feature difference is the DC with the FSMP roles has Certification Authority 
Avatar of arnold
arnold
Flag of United States of America image

you seized the roles while the 2008 DC that held them was online if memory serves.
What does the existing 2008 DC say about which DC has the FSMO roles?
You may have a contention issue.

Try this. make sure only the 2019 DC is online. the 2008 is off the network and see if you add a new DC with the 2019 as the only DC available in the environment whether you have the RID issue.

Seizing FSMO roles while the DC that has the roles is active on the network, will result in bad issues.

I suspect the 2008 DC might have other Ideas which DC has the FSMO roles as compared to the 2019 DC.

and I think this is when your problem began and continuing.
Avatar of arnold
arnold
Flag of United States of America image

Then try with the 2008 DC as the sole DC active in the environment. the 2019 the seized roles while the PDC  was online may have conflicting data.

iF this test works.
I would suggest while the 2019 DC that you say has FSMO roles, is never brough back online.
The new 2019 DC seizes the FSMO roles.
a Newly formatted installed windows 2019 joined to the domain and see whether the issue is resolved.

if it does, you've resolved your problem.
If it is not,  did you go through metadata cleanup to make sure there is absolutely no reference to the former 2008 PDC :?

This is the only thing I can think of that could explain your issue. RIDMASTER connections are inconsistent.
Avatar of DrDave242
DrDave242
Flag of United States of America image

Are you able to transfer the RID Master role between the two unaffected DCs without any trouble?

Avatar of DrDave242
DrDave242
Flag of United States of America image

Just had another thought: since any newly promoted DC has the issue, I wonder if the dcpromo.log will contain anything helpful.

Avatar of ajdratch
ajdratch

ASKER

The log definitely shows the problem
Starting a replication cycle between DCXXX.comain.com and the RID operations master (2008.domain.com)

DCXXX was a server that was made a DC but was demoted after a day. To my knowledge, it never had FSMO roles but I need to check with everyone on that. 2008 was the server2008 that had the FSMO roles seized from them.

I also see this error a lot
[INFO] EVENTLOG (Warning): NTDS General / DS Schema : 1153
"Internal event: The following schema class has a superclass that is not valid."

Now I need to find where that information is coming from and how to change it. What do you think about moving the RID Operations Master to another DC and then back again?
Avatar of arnold
arnold
Flag of United States of America image

The playing with moving RID master could further complicate matters.
Still waiting to confirm whether my prior interpretation of what happened is correct.
When you added the W2k19 while the 2008 PDC was on line you seized the roles versus transferred them via the normal GUI tools AD sites and services.
Avatar of ajdratch
ajdratch

ASKER

That is correct. The transfer failed so we had to seize the roles.
Avatar of arnold
arnold
Flag of United States of America image

Is the dcxxx is now a DC in the environment?

If it is. Demote it. Remove it from the network and NEVER bring it back online without first reinstalling the OS.
Use ntdsutils on an existing DC and seize the rid master role and only the rid master role .
Best still, identify which of the existing DCs has fsmo roles.
And use that system to consolidate all the roles by seizing the rid master role.
Go through metacleanup removing all references to this dcxxx host.....

Then see if it clears the extra invalid attribute is still there.
Avatar of ajdratch
ajdratch

ASKER

DCXXX is still on the network but there is no meta data anywhere. I was told it was demoted without any issues.

The RID Master role is on the 2019 DC with all the other FSMO roles.  All DC's see all the FSMO roles are on that server

I will take DCXXX offline. If that does work, I'll make sure it stays offline
Avatar of arnold
arnold
Flag of United States of America image

Look at the sites and services, under the NTDS for each server  and see whether there is a reference/connection to DCXXX from any DC listed there.

In short your AD has a reference to DCXXX as a DC to which some Dcs try to connect to update changes. .

Having the system offline temporarily is unlikely to resolve anything.

Consider it this way, you firms president, tells you Jane is handling accounts payables.
You go on vacation. when you return, you keep sending Jane notices to issue a PO to an item your department needs to complete a project.
The dealdine passed, and in the meeting on the project, the company boss asks you, "what is going on with this project, why has it not been completed?" And you tell her, well, I keep asking Jane to approve the purchase, but I get no where by email nor after leaving voice messages.

Same thing here, when DCXXX was added, it may have run into issues, and instead of addressing the issue, it may have been forcibly demoted, or actually reinstalled from scratch while retaining the same name.
This is how remnants for a failed dcpromo can be explained and might still be hanging around within the AD..
Avatar of ajdratch
ajdratch

ASKER

Sites and services, DNS and AD users and computers have only the current DC's. DCXXX or the old 2008 PDC are not showing anywhere.

What if I remove DCXXX from the domain?.
Avatar of DrDave242
DrDave242
Flag of United States of America image

Personally, I don't think transferring the RID Master to another server will cause any further issues. In fact, I think I'd give it a shot. Move the RID Master to the other unaffected DC, then demote and re-promote one of the affected ones to see if the rIDSetReferences attribute appears.

Avatar of ajdratch
ajdratch

ASKER

I tried transferring the RID Master and got this error in the event log. 2019DC is the one that has the RID Master. I am trying to transfer from 2019DC2

An attempt to transfer the operations master role represented by the following object failed.
 
Object:
CN=RID Manager$,CN=System,DC=domain,DC=com
Current operations master role:
CN=NTDS Settings,CN=2019DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
Proposed operations master role:
CN=NTDS Settings,CN=2019DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com
 
Additional Data
Error value:  8453


Avatar of arnold
arnold
Flag of United States of America image

Does 2019dc2 indicate it is the rid master?

Your situation seems that you had a situation where two systems on the LAN asserted they are the RID master.
the 2008 and the 2019 you used to Seize the roles while the 2008 was still online.

Did the systems without issues were joined to the AD prior to the seizure of roles by the 2019dc2?
Avatar of ajdratch
ajdratch

ASKER

According to netdom /query fsmo, 2019DC2 thinks 2019DC is the RID master which is correct. 
DC20081 had all the FSMO roles
DC20082 was another DC
DC2019dc came online and seized the FSMO roles from DC20081
DC20081 was taken offline.
At this point DC20082 and DC2019DC were working fine
Any new domain controller that comes online shows DC2019DC has all the roles but apparently somewhere else it thinks some other server has the RID Master
Avatar of ajdratch
ajdratch

ASKER

The only thing that has changed is the rIDSetReference on the new DC has its own name set but netdom still shows that it knows the correct server with that FSMO rrole

I decided to open a ticket with MS support but that does not seem possible. When I call I can't get a live person and I am told to go to https://support.microsoft.com/oas. I used to be able to pay by CC on that site but not anymore. It wants me to add a contract of subscription and I don't have either of those.

Any idea how I can contact them?
Avatar of arnold
arnold
Flag of United States of America image

I still think based on your scenario, you have two functional and one not. Is to take the one with issues offline and setup a new DC while never connecting this strange DC.

https://social.technet.microsoft.com/Forums/en-US/b7f9ae9e-89db-4866-84df-500f6f1bd069/ridsetreferences-missing-from-domain-controller

Seizing roles

Have you looked at https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2
,
Avatar of ajdratch
ajdratch

ASKER

I have two functioning DC's. One is server 2008 and the other is server 2019. I have tried with three new VM to create another DC that works and they all failed.

Those number don't get you to a live person. It just tells you to go open a case online. I discovered the reason I could not use a credit card had to do with my email address being attached to a Microsoft partner account. I created a ticket online with my gmail address and I was then able to open a ticket with a CC. I was hoping to hear from support today but due to the holiday, I'll probably have to wait until tomorrow. 
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of ajdratch
ajdratch

ASKER

MS support worked on this for about 45 minutes and got it working. According to the tech, the fix was to seize the RID Master role again even though all DC's showed it was on the correct DC.

Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

85K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo