When you start a domain controller that hosts an operations master role, the initial synchronization of the operations master may not finish because of a replication failure. Additionally, the following error messages may appear for each operations master.
RID master
If the relative ID (RID) operations master cannot be contacted, and if the RID pool drops lower than the 20-to-50-percent range, the following error message is logged in the Directory Service event log:
Source: SAM
EventID: 16651
Description:
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is %n " %1 "
Note In the Microsoft Windows 2000 Server with Service Pack 4 (SP4), the threshold at which domain controllers start to request a new RID pool has increased to 50 percent.
For more information about a similar error message that you may receive when the RID master is unavailable, click the following article number to view the article in the Microsoft Knowledge Base:
248410�
Error Message: The Account-Identifier Allocator Failed to Initialize Properly
For more information about RID allocation behavior, click the following article number to view the article in the Microsoft Knowledge Base:
316201�
"Domain controller has failed to obtain a new identifier pool" error event in Windows 2000 Server Service Pack 3 and earlier
Schema master
When you run the
adprep /forestprep command to prepare the Windows 2000 Server forest and the forest domains for the addition of Microsoft Windows Server 2003 domain controllers, the command fails. Additionally, the Adprep.log contains the following error message:
ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable). If the error code is "Insufficient Rights", make sure you are logged in as a member of the schema admin group. Adprep was unable to upgrade the schema on the schema master.
This error can also be caused by an invalid Domain Name System (DNS) record for a server that is no longer a DNS server. Additionally, when you try to change a schema property, you may receive the following error message:
The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner.
Domain naming master
When you try to add a new child domain or a new tree to the forest, you may receive the following error message:
02/17 17:02:16 [INFO] Error - The Directory Service failed to create the object CN=UCD,CN=Partitions,CN=Configuration,DC=Domain,DC=loc. Please check the event log for possible system errors. (8610)
For more information about the importance of the domain naming master when you add or remove a domain, click the following article numbers to view the articles in the Microsoft Knowledge Base:
254933 �
Adding or removing a domain during Dcpromo requires access to the domain naming master FSMO role holder
255229�
Dcpromo demotion of last domain controller in child domain does not succeed
The following scenarios describe possible causes of incoming replication failure on an operations master. If a domain controller that holds an operations master role cannot complete the initial synchronization requirements, operations that depend on the operations master may fail or may be delayed. Each scenario includes a possible method to start the operations master.
The current role resides on a domain controller whose Microsoft Windows NT Directory Service (NTDS) settings object has been deleted from Active Directory
Cause
This scenario may occur because of one of the following reasons:
- You either use the Active Directory Sites and Services snap-in, the Ntdsutil.exe utility, or a similar utility to delete the NTDS-DSA object from the Active Directory of a domain controller. However, you do not transfer the operations master role of the domain controller to another domain controller in the domain or the forest.
- You use the dcpromo /forceremoval command to forcefully remove Active Directory from a domain controller that holds an operations master role.
For more information about the dcpromo /forceremoval command, click the following article number to view the article in the Microsoft Knowledge Base:
332199�
Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
- You try to use the Active Directory Installation Wizard to gracefully remove Active Directory from an operations master domain controller. However, the locally-held operations master roles do not transfer to existing domain controllers in the domain or in the forest.
Resolution
In all these cases, you must seize operations master roles or transfer operations master roles to an existing domain controller.
For more information about seizing or transferring operations master roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:
255504 �
Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
255690 �
How to view and transfer FSMO roles in the graphical user interface
The domain controller that holds the operations master role contains references to domain controllers that are no longer running Active Directory
Cause
In this scenario, the domain controllers that are no longer running Active Directory still have metadata.
Resolution
To resolve this problem, remove the metadata from offline domain controllers that host the partition. You can do this if the domain controllers are no longer active in the forest and are therefore useless. After you remove the metadata from the domain controllers that are no longer running Active Directory, restart the current operations master role holder.
For more information about how to remove metadata for an offline domain controller, click the following article number to view the article in the Microsoft Knowledge Base:
216498 �
How to remove data in Active Directory after an unsuccessful domain controller demotion
Replication fails on the directory partition that holds the operations master role
Resolution
In this scenario, you must resolve the Active Directory replication failure because this failure prevents the operations master role holder from replicating the operations master partition. You must do this by using an existing partition from another domain controller.
Such replication problems can be caused by the following failures:
- Connectivity failures
- Authentication failures
- Replication engine failures
The replication partner for an operations master role partition resides in a remote Active Directory site
Cause
In this scenario, the operations master resides in a different Active Directory site than other domain controllers that replicate the operations master roles partition.
Resolution
To resolve this problem, take one of the following actions:
- Wait until the replication schedule opens
- Force incoming replication to the current operations master from a domain controller that contains a copy of that partition
The domain controller is started on an isolated network and cannot replicate because there is no network connectivity
Note A network is "isolated" if the domain controller that holds an operations master role has no network cable attached. A network is also "isolated" if the domain controller is on a test network or on a lab network without network access to partner domain controllers.
Cause
In this scenario, the domain controller that is started on an isolated network that has domain controllers in its domain or in its forest cannot replicate because there is no network connectivity.
Resolution
To resolve this problem, add a domain controller to the domain. Then, when the domain controller that holds the operations master roles starts, the domain controller can replicate the necessary domain partitions or the necessary forest-wide partitions.
Note For Windows Server 2003 domain controllers that are in an isolated network, you can use the Ntdsutil.exe utility to seize the operations master role. We recommend that you try this self-seizure operation only as a last resort after you verify that each operations master role in the forest has a unique holder.
For more information about how to use the Ntdsutil.exe utility, click the following article numbers to view the articles in the Microsoft Knowledge Base:
255504 �
Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
255690 �
How to view and transfer FSMO roles in the graphical user interface
The Windows 2000 Server RID master is transferred to another domain controller and Windows cannot create the object
Cause
In this scenario, the Windows 2000 Server RID master crashes and is then restored from a backup. Then, the RID master is temporarily transferred to another domain controller. Windows may report that it cannot create the object because the directory service is unable to allocate a relative identifier.
Resolution
To resolve this problem, you must put the restored domain controller and the temporary RID master into different networks. Then, follow the steps in Microsoft Knowledge Base Article 822053 to synchronize the operations master role holders.
822053 �
Error Message: "Windows Cannot Create the Object Because the Directory Service Was Unable to Allocate a Relative Identifier"
The Windows 2000 Server or Windows Server 2003 domain controller may report that the RID pool was corrupted and that no object can be created in the domain
In this scenario, you may receive event IDs 16650, 16647, and 16645. Additionally, if you run the
dcdiag /v command, you receive the following error messages:
* Available RID Pool for the Domain is 2355 to 1073741823
* Domain Controller FQDN is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1355 to 1854
* rIDNextRID: 0 The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDPreviousAllocationPool is 0 to 0 No rids allocated -- please check eventlog.
......................... DC01 failed test RidManager
Starting test: RidManager
* Available RID Pool for the Domain is 3104 to 1073741823
Warning: FSMO Role Owner is deleted.
* Domain Controller FQDN is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID SetDEL:5a128cf2-f365-47bc-a883-8ff9561ff545,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified.
......................... DC01 failed test RidManager
Resolution
To resolve this problem, you must either resolve the replication problem or try to repair the corrupted RID pool-related data in the Active Directory database.
For more information about this topic, click the following article number to view the article in the Microsoft Knowledge Base:
839879 �
Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003
Note If the previous solutions do not resolve the problem, use utilities such as the Repadmin.exe utility to continue troubleshooting. You should focus mainly on Directory Service replication for the specific domain partition.
How to use the Repadmin.exe utility to troubleshoot initial synchronization problems
To troubleshoot initial synchronization problems by using the Repadmin.exe utility, follow these steps:
- On a domain controller that holds an operations master role, locate the Repadmin.exe utility in the Microsoft Windows 2000 Support Tools.
Note The Windows 2000 Support Tools are available on the Windows 2000 Server CD. To install the Windows 2000 Support Tools, run the Setup program from the Support\Tools folder. - Click Start, click Run, type cmd, and then press ENTER.
- At the command prompt, type repadmin /showreps.
- Examine the output and determine whether the domain controller has successfully replicated since the last restart. If you see any errors, try to resolve the replication problems by using the relevant replication partners, and then wait for the replication to finish.
Each domain controller must successfully replicate the schema partitions, the domain partitions, and the configuration partitions.
Note You can use the
repadmin /delete command to remove replication links to partner domain controllers that contain the partition that hosts the operations master role in question.
Warning The
repadmin /delete command has the potential to break your Active Directory installation. Therefore, we highly recommend that you use the
repadmin /delete command only under the expert guidance of Microsoft Product Support Services. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:
For more information about how to use the Repadmin.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
229896 �
Using Repadmin.exe to troubleshoot Active Directory replication
An Active Directory domain controller tries to replicate incoming changes for each locally-held directory partition whenever the domain controller starts. The directory partition is also known as a naming context.
In Windows Server 2003, Windows 2000 Server Service Pack 3 (SP3), and later versions of Windows 2000 Server, the domain controllers that host operations master roles have a responsibility. This responsibility is to successfully replicate incoming changes on the directory partition that replicates and maintains the state of the operations master role. Successful replication must occur before operations that depend on the operations master can be performed. This replication occurs to make sure that the operations master is up to date with any changes to the attribute that holds the information about the current operations master holder. For example, if the attribute changes when the operations master is offline, the attribute will relinquish ownership of the operations master. If the attribute continues to point to the local domain controller, the attribute will start to act as the role holder.
When this occurs, Windows Server 2003-based domain controllers log the following event:
Event Type: Information
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1555
Date: date
Time: time
User: Everyone
Description:
The local domain controller will not be advertised by the domain controller locator service as an available domain controller until it has completed an initial synchronization of each writeable directory partition that it holds. At this point, these initial synchronizations have not been completed. The synchronizations will continue. For more information, see Help and Support Center at http://support.microsoft.com.
Where the operations master role holder information is saved
The following table shows that a domain controller that hosts operations master roles must successfully replicate the partition before the operations master roles can function.
Collapse this tableExpand this table
Role | Partition that must replicate for role to become active | Operation performed |
---|
Domain naming | Configuration | Add or remove a domain or an application partition. |
Infrastructure | Domain partition in the domain of the operations master role holder | Introduce changes that were made by using the Windows Server 2003 adprep /domainprep command. |
Relative ID (RID) | Domain partition in the domain of the operations master role holder | Install Active Directory on the member server. |
Schema | Schema | Introduce schema changes in the Active Directory Schema snap-in, in the adprep /forestprep command, or in Active Directory-aware applications. |
For example, consider the following progression. The domain partition of a sample domain that is named Contoso.com replicates information about the state of the current RID operations master.
In the Contoso.com domain, a domain controller that is named DC1.Contoso.com (DC1) is the RID master.
The configuration partition on the copy of DC1 of Active Directory contains references to another domain controller that is named DC2.Contoso.com (DC2). DC2 replicates the writeable Contoso.com partition. When this occurs, the RID master role for the Contoso.com domain does not become operational until one of the following scenarios occurs:
- The RID master role performs incoming replication for the writeable Contoso.com domain partition with DC2 or with another domain controller in the Contoso.com domain.
- You remove references to domain controllers that host writeable copies of the Contoso.com domain partition from the forest.
Until the RID master role becomes operational, DC1 cannot issue the new RID pools that are required to create users, computers, additional domain controllers, and security groups in the Contoso.com domain. Similarly, the other operations masters that are listed in the operations master roles table must successfully replicate incoming changes on the host partition before the operations masters can perform dependent operations. The goal of this synchronization requirement is to make sure that only one domain controller plays a particular operations master role in each domain or forest.
Note A domain controller does not have to satisfy the initial synchronization requirement if that domain controller meets the following criteria:
- The domain controller that holds an operations master role resides in a partition.
- The domain controller does not have replication partners. For example, the domain controller is in the domain or in the forest-wide operation scope of the operations master role and therefore does not have partners.
Synchronization requirements only exist when the
hasMastersNC attribute of the current role holder contains references to more than one domain controller that replicates the operations master partition. The
hasMastersNC attribute is a part of the NTDS settings object in the CN=Configuration partition of an operations master on a domain controller. For example, imagine that the configuration partition for the Contoso.com sample domain does not contain references to other domain controllers that host the Contoso.com partition. In such a case, the current RID master becomes operational after the DC1 computer starts.
Changes in initial synchronization requirements in Windows Server 2003 with Service Pack 1 (SP1)
The original release version of Windows Server 2003
When you restart a domain controller that is an operations master role holder, the domain controller will only try to replicate with other domain controllers that are in the same site. If an appropriate source domain controller is in the same Active Directory site as the holder, the initial synchronization requirement is typically satisfied after the operating system is started. Because the requirement is satisfied, the operations that depend on the operations master role occur immediately. Delays may occur if the only appropriate source domain controller is in a remote site. Replication will not occur until the schedule opens on the site link or on the connection object. Any operation that requires access to either the schema master role, the domain naming master role, or the RID master role does not function until incoming replication occurs from a writeable source domain controller.
Windows Server 2003 with SP1
If a domain controller that is an operations master role holder is restarted, it will try to perform initial synchronization with all its existing partners until a successful synchronization occurs. The partner is selected at random for the synchronization from all replication partners that the domain controller has for each naming context that the domain controller hosts. No preference is given to intrasite replication partners. The domain controller tries each partner until replication is successful.
When the operations master roles are temporarily offline
All operations master roles can sustain some downtime. This means that you do not have to seize the operations master roles if the computer must be taken offline temporarily. Each operations master role sustains downtime in a unique way.
Schema master
Do not bring the schema operations master role back unless you want to change the schema before the schema operations master role holder comes back through a repair or restore.
Domain naming master
The domain naming operations master role is required when you want to add or remove a naming context in the forest. You have to seize this role if a repair or restore does not bring the role back online before you add or remove a naming context in the forest.
Infrastructure master
The infrastructure operations master role runs tasks in the background. If this computer is not brought online for several days, and no major account changes are made in the forest, this computer can easily make the changes when you bring it back online.