Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

An operations master does not synchronize when a Windows 2000 Server-based or Windows Server 2003-based computer is started


View products that this article applies to.

Summary

This article contains information to help you troubleshoot an operations master that does not finish initial synchronization because of a replication failure. This article discusses the following topics:
  • Error messages that can indicate the operations master did not finish initial synchronization because of a replication failure
  • Scenarios that describe some possible causes of incoming replication failure on an operations master
  • How to use the Repadmin.exe utility to troubleshoot initial synchronization problems
  • Partitions that must be replicated before the operations master roles can function
  • Changes in initial synchronization requirements in Windows Server 2003 with Service Pack 1 (SP1)
  • Effects of downtime on the operations master roles

↑ Back to the top


Introduction

Because all domain controllers work together in a domain, most object updates in the Active Directory directory service can be made on any domain controller by using multimaster replication. However, certain operations can only be safely performed by single domain controllers that are called the operations masters. The operations that each operations master routinely performs are called operations master roles. These roles are also known as flexible single master operations (FSMO) roles. To prevent an operations master role from being assigned to more than one domain controller, role holders must successfully inbound replicate-specific partitions from at least one partner domain controller. This process is referred to as initial synchronization. Initial synchronization must occur before operations that depend on an operations master role can be performed.

↑ Back to the top


More information

When you start a domain controller that hosts an operations master role, the initial synchronization of the operations master may not finish because of a replication failure. Additionally, the following error messages may appear for each operations master.

RID master

If the relative ID (RID) operations master cannot be contacted, and if the RID pool drops lower than the 20-to-50-percent range, the following error message is logged in the Directory Service event log:

Source: SAM
EventID: 16651
Description:
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is %n " %1 "

Note In the Microsoft Windows 2000 Server with Service Pack 4 (SP4), the threshold at which domain controllers start to request a new RID pool has increased to 50 percent. For more information about a similar error message that you may receive when the RID master is unavailable, click the following article number to view the article in the Microsoft Knowledge Base:
248410� Error Message: The Account-Identifier Allocator Failed to Initialize Properly
For more information about RID allocation behavior, click the following article number to view the article in the Microsoft Knowledge Base:
316201� "Domain controller has failed to obtain a new identifier pool" error event in Windows 2000 Server Service Pack 3 and earlier

Schema master

When you run the adprep /forestprep command to prepare the Windows 2000 Server forest and the forest domains for the addition of Microsoft Windows Server 2003 domain controllers, the command fails. Additionally, the Adprep.log contains the following error message:
ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable). If the error code is "Insufficient Rights", make sure you are logged in as a member of the schema admin group. Adprep was unable to upgrade the schema on the schema master.
This error can also be caused by an invalid Domain Name System (DNS) record for a server that is no longer a DNS server. Additionally, when you try to change a schema property, you may receive the following error message:
The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner.

Domain naming master

When you try to add a new child domain or a new tree to the forest, you may receive the following error message:
02/17 17:02:16 [INFO] Error - The Directory Service failed to create the object CN=UCD,CN=Partitions,CN=Configuration,DC=Domain,DC=loc. Please check the event log for possible system errors. (8610)
For more information about the importance of the domain naming master when you add or remove a domain, click the following article numbers to view the articles in the Microsoft Knowledge Base:
254933 � Adding or removing a domain during Dcpromo requires access to the domain naming master FSMO role holder
255229� Dcpromo demotion of last domain controller in child domain does not succeed
The following scenarios describe possible causes of incoming replication failure on an operations master. If a domain controller that holds an operations master role cannot complete the initial synchronization requirements, operations that depend on the operations master may fail or may be delayed. Each scenario includes a possible method to start the operations master.

The current role resides on a domain controller whose Microsoft Windows NT Directory Service (NTDS) settings object has been deleted from Active Directory

Cause

This scenario may occur because of one of the following reasons:
  • You either use the Active Directory Sites and Services snap-in, the Ntdsutil.exe utility, or a similar utility to delete the NTDS-DSA object from the Active Directory of a domain controller. However, you do not transfer the operations master role of the domain controller to another domain controller in the domain or the forest.
  • You use the dcpromo /forceremoval command to forcefully remove Active Directory from a domain controller that holds an operations master role. For more information about the dcpromo /forceremoval command, click the following article number to view the article in the Microsoft Knowledge Base:
    332199� Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
  • You try to use the Active Directory Installation Wizard to gracefully remove Active Directory from an operations master domain controller. However, the locally-held operations master roles do not transfer to existing domain controllers in the domain or in the forest.

Resolution

In all these cases, you must seize operations master roles or transfer operations master roles to an existing domain controller. For more information about seizing or transferring operations master roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:
255504 � Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
255690 � How to view and transfer FSMO roles in the graphical user interface

The domain controller that holds the operations master role contains references to domain controllers that are no longer running Active Directory

Cause

In this scenario, the domain controllers that are no longer running Active Directory still have metadata.

Resolution

To resolve this problem, remove the metadata from offline domain controllers that host the partition. You can do this if the domain controllers are no longer active in the forest and are therefore useless. After you remove the metadata from the domain controllers that are no longer running Active Directory, restart the current operations master role holder. For more information about how to remove metadata for an offline domain controller, click the following article number to view the article in the Microsoft Knowledge Base:
216498 � How to remove data in Active Directory after an unsuccessful domain controller demotion

Replication fails on the directory partition that holds the operations master role

Resolution

In this scenario, you must resolve the Active Directory replication failure because this failure prevents the operations master role holder from replicating the operations master partition. You must do this by using an existing partition from another domain controller.

Such replication problems can be caused by the following failures:
  • Connectivity failures
  • Authentication failures
  • Replication engine failures

The replication partner for an operations master role partition resides in a remote Active Directory site

Cause

In this scenario, the operations master resides in a different Active Directory site than other domain controllers that replicate the operations master roles partition.

Resolution

To resolve this problem, take one of the following actions:
  • Wait until the replication schedule opens
  • Force incoming replication to the current operations master from a domain controller that contains a copy of that partition

The domain controller is started on an isolated network and cannot replicate because there is no network connectivity

Note A network is "isolated" if the domain controller that holds an operations master role has no network cable attached. A network is also "isolated" if the domain controller is on a test network or on a lab network without network access to partner domain controllers.

Cause

In this scenario, the domain controller that is started on an isolated network that has domain controllers in its domain or in its forest cannot replicate because there is no network connectivity.

Resolution

To resolve this problem, add a domain controller to the domain. Then, when the domain controller that holds the operations master roles starts, the domain controller can replicate the necessary domain partitions or the necessary forest-wide partitions.

Note For Windows Server 2003 domain controllers that are in an isolated network, you can use the Ntdsutil.exe utility to seize the operations master role. We recommend that you try this self-seizure operation only as a last resort after you verify that each operations master role in the forest has a unique holder. For more information about how to use the Ntdsutil.exe utility, click the following article numbers to view the articles in the Microsoft Knowledge Base:
255504 � Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
255690 � How to view and transfer FSMO roles in the graphical user interface

The Windows 2000 Server RID master is transferred to another domain controller and Windows cannot create the object

Cause

In this scenario, the Windows 2000 Server RID master crashes and is then restored from a backup. Then, the RID master is temporarily transferred to another domain controller. Windows may report that it cannot create the object because the directory service is unable to allocate a relative identifier.

Resolution

To resolve this problem, you must put the restored domain controller and the temporary RID master into different networks. Then, follow the steps in Microsoft Knowledge Base Article 822053 to synchronize the operations master role holders.
822053 � Error Message: "Windows Cannot Create the Object Because the Directory Service Was Unable to Allocate a Relative Identifier"

The Windows 2000 Server or Windows Server 2003 domain controller may report that the RID pool was corrupted and that no object can be created in the domain

In this scenario, you may receive event IDs 16650, 16647, and 16645. Additionally, if you run the dcdiag /v command, you receive the following error messages:
* Available RID Pool for the Domain is 2355 to 1073741823
* Domain Controller FQDN is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1355 to 1854
* rIDNextRID: 0 The DS has corrupt data: rIDPreviousAllocationPool value is not valid * rIDPreviousAllocationPool is 0 to 0 No rids allocated -- please check eventlog. ......................... DC01 failed test RidManager
Starting test: RidManager
* Available RID Pool for the Domain is 3104 to 1073741823
Warning: FSMO Role Owner is deleted.
* Domain Controller FQDN is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted. ldap_search_sW of CN=RID SetDEL:5a128cf2-f365-47bc-a883-8ff9561ff545,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified. ......................... DC01 failed test RidManager

Resolution

To resolve this problem, you must either resolve the replication problem or try to repair the corrupted RID pool-related data in the Active Directory database. For more information about this topic, click the following article number to view the article in the Microsoft Knowledge Base:
839879 � Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003
Note If the previous solutions do not resolve the problem, use utilities such as the Repadmin.exe utility to continue troubleshooting. You should focus mainly on Directory Service replication for the specific domain partition.

How to use the Repadmin.exe utility to troubleshoot initial synchronization problems

To troubleshoot initial synchronization problems by using the Repadmin.exe utility, follow these steps:
  1. On a domain controller that holds an operations master role, locate the Repadmin.exe utility in the Microsoft Windows 2000 Support Tools.

    Note The Windows 2000 Support Tools are available on the Windows 2000 Server CD. To install the Windows 2000 Support Tools, run the Setup program from the Support\Tools folder.
  2. Click Start, click Run, type cmd, and then press ENTER.
  3. At the command prompt, type repadmin /showreps.
  4. Examine the output and determine whether the domain controller has successfully replicated since the last restart. If you see any errors, try to resolve the replication problems by using the relevant replication partners, and then wait for the replication to finish.

    Each domain controller must successfully replicate the schema partitions, the domain partitions, and the configuration partitions.
Note You can use the repadmin /delete command to remove replication links to partner domain controllers that contain the partition that hosts the operations master role in question.

Warning The repadmin /delete command has the potential to break your Active Directory installation. Therefore, we highly recommend that you use the repadmin /delete command only under the expert guidance of Microsoft Product Support Services. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site: For more information about how to use the Repadmin.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
229896 � Using Repadmin.exe to troubleshoot Active Directory replication
An Active Directory domain controller tries to replicate incoming changes for each locally-held directory partition whenever the domain controller starts. The directory partition is also known as a naming context.

In Windows Server 2003, Windows 2000 Server Service Pack 3 (SP3), and later versions of Windows 2000 Server, the domain controllers that host operations master roles have a responsibility. This responsibility is to successfully replicate incoming changes on the directory partition that replicates and maintains the state of the operations master role. Successful replication must occur before operations that depend on the operations master can be performed. This replication occurs to make sure that the operations master is up to date with any changes to the attribute that holds the information about the current operations master holder. For example, if the attribute changes when the operations master is offline, the attribute will relinquish ownership of the operations master. If the attribute continues to point to the local domain controller, the attribute will start to act as the role holder.

When this occurs, Windows Server 2003-based domain controllers log the following event:

Event Type: Information
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1555
Date: date
Time: time
User: Everyone
Description:
The local domain controller will not be advertised by the domain controller locator service as an available domain controller until it has completed an initial synchronization of each writeable directory partition that it holds. At this point, these initial synchronizations have not been completed. The synchronizations will continue. For more information, see Help and Support Center at http://support.microsoft.com.

Where the operations master role holder information is saved

The following table shows that a domain controller that hosts operations master roles must successfully replicate the partition before the operations master roles can function.
Collapse this tableExpand this table
RolePartition that must replicate for role to become active Operation performed
Domain naming ConfigurationAdd or remove a domain or an application partition.
InfrastructureDomain partition in the domain of the operations master role holderIntroduce changes that were made by using the Windows Server 2003 adprep /domainprep command.
Relative ID (RID) Domain partition in the domain of the operations master role holder Install Active Directory on the member server.
SchemaSchemaIntroduce schema changes in the Active Directory Schema snap-in, in the adprep /forestprep command, or in Active Directory-aware applications.
For example, consider the following progression. The domain partition of a sample domain that is named Contoso.com replicates information about the state of the current RID operations master. In the Contoso.com domain, a domain controller that is named DC1.Contoso.com (DC1) is the RID master. The configuration partition on the copy of DC1 of Active Directory contains references to another domain controller that is named DC2.Contoso.com (DC2). DC2 replicates the writeable Contoso.com partition. When this occurs, the RID master role for the Contoso.com domain does not become operational until one of the following scenarios occurs:
  • The RID master role performs incoming replication for the writeable Contoso.com domain partition with DC2 or with another domain controller in the Contoso.com domain.
  • You remove references to domain controllers that host writeable copies of the Contoso.com domain partition from the forest.
Until the RID master role becomes operational, DC1 cannot issue the new RID pools that are required to create users, computers, additional domain controllers, and security groups in the Contoso.com domain. Similarly, the other operations masters that are listed in the operations master roles table must successfully replicate incoming changes on the host partition before the operations masters can perform dependent operations. The goal of this synchronization requirement is to make sure that only one domain controller plays a particular operations master role in each domain or forest.

Note A domain controller does not have to satisfy the initial synchronization requirement if that domain controller meets the following criteria:
  • The domain controller that holds an operations master role resides in a partition.
  • The domain controller does not have replication partners. For example, the domain controller is in the domain or in the forest-wide operation scope of the operations master role and therefore does not have partners.
Synchronization requirements only exist when the hasMastersNC attribute of the current role holder contains references to more than one domain controller that replicates the operations master partition. The hasMastersNC attribute is a part of the NTDS settings object in the CN=Configuration partition of an operations master on a domain controller. For example, imagine that the configuration partition for the Contoso.com sample domain does not contain references to other domain controllers that host the Contoso.com partition. In such a case, the current RID master becomes operational after the DC1 computer starts.

Changes in initial synchronization requirements in Windows Server 2003 with Service Pack 1 (SP1)

The original release version of Windows Server 2003

When you restart a domain controller that is an operations master role holder, the domain controller will only try to replicate with other domain controllers that are in the same site. If an appropriate source domain controller is in the same Active Directory site as the holder, the initial synchronization requirement is typically satisfied after the operating system is started. Because the requirement is satisfied, the operations that depend on the operations master role occur immediately. Delays may occur if the only appropriate source domain controller is in a remote site. Replication will not occur until the schedule opens on the site link or on the connection object. Any operation that requires access to either the schema master role, the domain naming master role, or the RID master role does not function until incoming replication occurs from a writeable source domain controller.

Windows Server 2003 with SP1

If a domain controller that is an operations master role holder is restarted, it will try to perform initial synchronization with all its existing partners until a successful synchronization occurs. The partner is selected at random for the synchronization from all replication partners that the domain controller has for each naming context that the domain controller hosts. No preference is given to intrasite replication partners. The domain controller tries each partner until replication is successful.

When the operations master roles are temporarily offline

All operations master roles can sustain some downtime. This means that you do not have to seize the operations master roles if the computer must be taken offline temporarily. Each operations master role sustains downtime in a unique way.

Schema master

Do not bring the schema operations master role back unless you want to change the schema before the schema operations master role holder comes back through a repair or restore.

Domain naming master

The domain naming operations master role is required when you want to add or remove a naming context in the forest. You have to seize this role if a repair or restore does not bring the role back online before you add or remove a naming context in the forest.

Infrastructure master

The infrastructure operations master role runs tasks in the background. If this computer is not brought online for several days, and no major account changes are made in the forest, this computer can easily make the changes when you bring it back online.

↑ Back to the top


References

For more information about how to install Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:
301423 � How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer
For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:
197132� Windows 2000 Active Directory FSMO roles
234790� How to find servers that hold flexible single master operations roles
223346 � FSMO placement and optimization on Active Directory domain controllers
248410 � Error message: The account-identifier allocator failed to initialize properly

For more information about how to initiate Active Directory replication, click the following article number to view the article in the Microsoft Knowledge Base:
232072 � Initiating replication between Active Directory direct replication partners

For more information about FSMO role holder Initial Synchronization, click the following article number to view the article in the Microsoft Knowledge Base:
305476 � Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
822053 � Error message: "Windows cannot create the object because the Directory Service was unable to allocate a relative identifier"
839879 � Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003

↑ Back to the top


Keywords: kberrmsg, kbfsmo, kbactivedirectoryrepl, kbactivedirectory, kbtshoot, KB910202

↑ Back to the top

Article Info
Article ID : 910202
Revision : 6
Created on : 4/5/2007
Published on : 4/5/2007
Exists online : False
Views : 1112