Cannot create the object because directory service was unable to allocate a relative identifier

  • Thread starter Thread starter vasanth
  • Start date Start date
V

vasanth

Hi All,

My environment is having 1 Win2K3 SP1 DC and 1 Win2K3 SP1 ADC. This
domain is child domain to one more domain. There are 203 additional
domain controllers for this domain in 203 remote places running Win2K
SP4 and connected by slower WAN link. Everything is normal. We added
203 more ADCs running Win2k SP4 in all the 203 remote places as the
existing hardware was bit too old. In these 203 newly installed ADCs,
in few of the DCs we are unable to create any object and getting the
error message "Cannot create the object because directory service was
unable to allocate a relative identifier". We are also getting event id
16650. We are able to create account in the other DC in the same site
and it will get replicated immediately. In few remote places, we are
not facing any problem even in the new server. Our DNS pointing is
correct. We tried by pointing to different DNS servers such as the main
DC and main ADC also. Still problem did not got solved.

We also forcibly replicated from the central location to these
problematic sites. This also did not solve the problem.

Our RID master is the main DC for this domain running on Win2K3 SP1.

I went through Microsoft KB Article which says that if RID master is
restored from system state backup, this error may occur which has not
happened in our case. It mainly suggests to seize the role and release
again to the same server. Since our RID master is working fine and in
50% of locations on the new servers also we are able to create users,
we cannot seize the role. Kindly suggest us a workaround for this.

Thanks in advance,

Vasanth
Bangalore,
India
 
In my opinion, there must be something wrong with the RID master after all,
even if it's not restored from a backup. You may be able to create users or
other accounts on other DC's, but this probably won't last long (until their
currently assigned RID pools are empty). Not sure how to solve this though,
reboot the RID master, check its directory service log, seize the role after
all...?
Peter
 
I recently had this very same issue when brining a new DC online.

Solved by creating a replication object in ADS&S to the DC holding the RID
FSMO. The using repadmin, forced replication to the new DC. All errors
resolved.

P.S. are you also getting SVR event erros, sorry I cant remeber the ID
number.
 
run DCDIAG /c /v /d

on both the RID master and the DC that is not able to retrieve a RID pool

any "interesting" event IDs on the RID Master?

are there OTHER event IDs on those servers?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
In Jorge de Almeida Pinto [MVP]
run DCDIAG /c /v /d

on both the RID master and the DC that is not able to retrieve a RID
pool
any "interesting" event IDs on the RID Master?

are there OTHER event IDs on those servers?
Click to expand...

Hi Jorge,

I was going to suggest to narrow the dcdiag test for only the RID master by
using the /test:ridmanager switch, but it's probably better to see the whole
output.

:-)


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]
 
you are correct the RID manager test should be enough. I (almost) always use
the options I provided to see if ANYTHING is wrong. To go through it quickly
I search for the words failed and error ;-)

in addition to what you said: I would like to add the /v for more verbose
info
->DCDIAG /test:ridmanager /v


THE FOLLOWING HAS NOTHING TO DO WITH THIS POST:
Do you know what happens when the RIDs are all consumed within a domain?
Starting test: RidManager
The DS has corrupt data: rIDAvailablePool value is not valid
......................... ROOTDC001 failed test RidManager

(I was interested to see what happened ;-)) )

(DON'T WORRY, IT WILL TAKE A VERY LONG TIME BEFORE THIS HAPPENS!)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Ace Fekay said:
In Jorge de Almeida Pinto [MVP]
run DCDIAG /c /v /d

on both the RID master and the DC that is not able to retrieve a RID
pool
any "interesting" event IDs on the RID Master?

are there OTHER event IDs on those servers?
Click to expand...

Hi Jorge,

I was going to suggest to narrow the dcdiag test for only the RID master
by using the /test:ridmanager switch, but it's probably better to see the
whole output.

:-)


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
you to easily find, track threads, cross-post, sort by date, poster's
name, watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]
Click to expand...
 
Hi All,

I executed dcdiag /test:ridManager /v in the problematic ADC. It says
the following

* DsBind with RID Master was successful
* rIDAllocationPool is 63963600 to 63964099
No rids allocated -- please check eventlog.

My RID master which is also my DC has the following results for the
same test

* Available RID Pool for the Domain is 64010100 to 1073741823
* DsBind with RID Master was successful
* rIDAllocationPool is 278600 to 279099
* rIDPreviousAllocationPool is 278600 to 279099
* rIDNextRID: 278759

It says no RIDs allocated in the problematic DC. Is this looking into
previous allocation pool and saying that or does it mean that no RID is
currently allocated.

Is there any way where in which I can forcibly allocate a RID pool to
this problematic DC?

Regards.

Vasanth
 
In Jorge de Almeida Pinto [MVP]
you are correct the RID manager test should be enough. I (almost)
always use the options I provided to see if ANYTHING is wrong. To go
through it quickly I search for the words failed and error ;-)

in addition to what you said: I would like to add the /v for more
verbose info
->DCDIAG /test:ridmanager /v


THE FOLLOWING HAS NOTHING TO DO WITH THIS POST:
Do you know what happens when the RIDs are all consumed within a
domain? Starting test: RidManager
The DS has corrupt data: rIDAvailablePool value is not valid
......................... ROOTDC001 failed test RidManager

(I was interested to see what happened ;-)) )

(DON'T WORRY, IT WILL TAKE A VERY LONG TIME BEFORE THIS HAPPENS!)
Click to expand...

Yes, it is interesting!!

I actually demo that in the MOC 2279 AD course for my students. I use the
"Create 1000 Users" VBS script that I would first download from Microsoft's
script center to create 1000 users. For others' info out there if they are
interested to see how it works, you can try it. The RID pool can only be
replenished by blocks of 500 because the RID master only dishes out 500 RIDs
at a time to a requesting DC. At 490, the deplenished DC will request
another block of 500 from the RID. If it can't get the next block, it will
not be able to create any users. To force that, I would disconnect the NIC
on the machine that is the RID master to stop it) which you can see the
current RID count on that specific DC with the dcdiag results. I usually
arrow up and hit enter in the CMD prompt to re-run the command so as to
refresh the latest count> Once the count deplenishes and can't get that next
block because the RID master is down, it can't create that next user
account. Cool stuff!!

Ace

Ace
 
In
vasanth said:
Hi All,

I executed dcdiag /test:ridManager /v in the problematic ADC. It says
the following

* DsBind with RID Master was successful
* rIDAllocationPool is 63963600 to 63964099
No rids allocated -- please check eventlog.

My RID master which is also my DC has the following results for the
same test

* Available RID Pool for the Domain is 64010100 to 1073741823
* DsBind with RID Master was successful
* rIDAllocationPool is 278600 to 279099
* rIDPreviousAllocationPool is 278600 to 279099
* rIDNextRID: 278759

It says no RIDs allocated in the problematic DC. Is this looking into
previous allocation pool and saying that or does it mean that no RID
is currently allocated.

Is there any way where in which I can forcibly allocate a RID pool to
this problematic DC?

Regards.

Vasanth
Click to expand...

No, it can't be forced. It's an automatic service. I think based on the
16650 error, this server is completely out of sync. Possibly a journal_wrap
error? Are there any other errors on any of the DCs pointing to this DC as
an issue?

Ace
 
In Jorge de Almeida Pinto [MVP]
Ace,
Please contact me offline.

For my mail address see:
(e-mail address removed)

Just do what is said before the @
Click to expand...

Replied privately...

Ace
 
Back
Top