Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

"The Account-Identifier Allocator Failed to Initialize Properly" error in Windows Server


View products that this article applies to.

↑ Back to the top


Symptoms

You notice that an entry that resembles the following is recorded approximately every two minutes in the NTDS event log:

Event 16650
MessageId=0x410A
S
ymbolicName=SAMMSG_RID_INIT_FAILURE
Language=English

The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows Server may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.

↑ Back to the top


Cause

This problem occurs because the RID Master FSMO is unavailable or fails to replicate. The domain controller cannot obtain and initialize the RID pool.

This problem may also occur if the "Access this computer from the network" user right is not granted to the appropriate groups, such as the "Enterprise Domain Controllers" or "Authenticated Users" groups.

↑ Back to the top


Resolution

To troubleshoot this problem, examine the NTDS event log for more details about the replication failure.

Determine the RID Master FSMO by following the steps in the following Knowledge Base article:

234790 How To Find Servers That Hold Flexible Single Master Operations Roles

Verify network connectivity by using the ping command. For more information about how to use the ping command, see the following Docs articles:

Chapter 16 — Troubleshooting TCP/IP

NSlookup

If the RID Master is down for an extended time, follow the steps in the following Knowledge Base article:

223787 Flexible Single Master Operation Transfer and Seizure Process

To add either the "Enterprise Domain Controllers" or "Authenticated Users" group to the "Access this computer from the network" user right, follow these steps in Domain Controller Security Policy:

  1. Open the policy. To do this, click Start > Programs > Administrative Tools > Domain Controller Security Policy.
  2. Expand Security Settings, expand Local Policies, and then select User Rights Assignment.
  3. Double-click Access this computer from the networkand then add either the Everyone or Authenticated Users group to this right.

If there are multiple Windows 2000 Server domain controllers, run the following command at a command prompt to refresh this change on those policies. 

secedit /refreshpolicy machine_policy /enforce

↑ Back to the top


Keywords: kbprb

↑ Back to the top

Article Info
Article ID : 248410
Revision : 8
Created on : 4/26/2019
Published on : 4/26/2019
Exists online : False
Views : 782