D
Drazen
We had some problems with Windows Server SP4 2000 DC (Server A) and had
to rebuild it from the scratch. Server A was a single DC in the domain,
no BDCs. So what I did was to set up another temporarily Windows 2000
SP4 server (Server B), configured it as additional domain controller in
domain, let it replicate with Server A. Everything went without
problems. Now I had two DCs. So I retired Server A, reinstalled OS,
gave it same IP address as before, same name, everything as it was
before. Then configured it as domain controller again and let it
replicate from Server B. Again everything went without problems. Now i
retired Server B.
Errors started appearing in event log of server A:
Source: SAM
Event ID: 16650
Error: The account-identifier allocator failed to initialize properly.
The record data contains the NT error code that caused the failure.
Windows 2000 will retry the initialization until it succeeds; until
that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason
for the failure.
Data: a7 02 00 c0
This is what dcdiag /v returns:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine srvpis, is a DC.
* Connecting to directory service on server srvpis.
* Collecting site info.
* Identifying all servers.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SRVPIS
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SRVPIS passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SRVPIS
Starting test: Replications
* Replications Check
......................... SRVPIS passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=PIS,DC=local
* Security Permissions Check for
CN=Configuration,DC=PIS,DC=local
* Security Permissions Check for
DC=PIS,DC=local
......................... SRVPIS passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... SRVPIS passed test NetLogons
Starting test: Advertising
The DC SRVPIS is advertising itself as a DC and having a DS.
The DC SRVPIS is advertising as an LDAP server
The DC SRVPIS is advertising as having a writeable directory
The DC SRVPIS is advertising as a Key Distribution Center
The DC SRVPIS is advertising as a time server
The DS SRVPIS is advertising as a GC.
......................... SRVPIS passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Schema Owner, but is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Domain Owner, but is deleted.
Role PDC Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the PDC Owner, but is deleted.
Role Rid Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Rid Owner, but is deleted.
Role Infrastructure Update Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Infrastructure Update Owner, but is deleted.
......................... SRVPIS failed test
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2101 to 1073741823
Warning: FSMO Role Owner is deleted.
* srvpis.PIS.local is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID Set\
DEL:eb942680-1b6d-460a-a57b-c97ff44caf65,CN=Deleted
Objects,DC=PIS,DC=local for rid info failed with 2: Win32 Error 2
......................... SRVPIS failed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/srvpis.PIS.local/PIS.local
* SPN found :LDAP/srvpis.PIS.local
* SPN found :LDAP/SRVPIS
* SPN found :LDAP/srvpis.PIS.local/PIS
* SPN found
:LDAP/c141137b-eb05-431e-86f4-e1521a05d05a._msdcs.PIS.local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/c141137b-eb05-431e-86f4-e1521a05d05a/PIS.local
* SPN found :HOST/srvpis.PIS.local/PIS.local
* SPN found :HOST/srvpis.PIS.local
* SPN found :HOST/SRVPIS
* SPN found :HOST/srvpis.PIS.local/PIS
* SPN found :GC/srvpis.PIS.local/PIS.local
......................... SRVPIS passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... SRVPIS passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
SRVPIS is in domain DC=PIS,DC=local
Checking for CN=SRVPIS,OU=Domain Controllers,DC=PIS,DC=local
in domain DC=PIS,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
in domain CN=Configuration,DC=PIS,DC=local on 1 servers
Object is up-to-date on all servers.
......................... SRVPIS passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... SRVPIS passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last
15 minutes.
......................... SRVPIS passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/24/2006 08:33:30
(Event String could not be retrieved)
....
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/24/2006 09:31:30
(Event String could not be retrieved)
......................... SRVPIS failed test systemlog
Running enterprise tests on : PIS.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside
the scope
provided by the command line arguments provided.
......................... PIS.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
KDC Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
......................... PIS.local failed test FsmoCheck
When I try to add new user to domain i get the following error:
"Windows cannot create the object becouse: The directory service was
unable to allocate a relative identifier".
So I suppose it has to do with DC roles being reassigned to computer
which does not exist anymore. Maybe I should do a metadata cleanup +
set up but I'm not sure how to do that.
Heeeelp
to rebuild it from the scratch. Server A was a single DC in the domain,
no BDCs. So what I did was to set up another temporarily Windows 2000
SP4 server (Server B), configured it as additional domain controller in
domain, let it replicate with Server A. Everything went without
problems. Now I had two DCs. So I retired Server A, reinstalled OS,
gave it same IP address as before, same name, everything as it was
before. Then configured it as domain controller again and let it
replicate from Server B. Again everything went without problems. Now i
retired Server B.
Errors started appearing in event log of server A:
Source: SAM
Event ID: 16650
Error: The account-identifier allocator failed to initialize properly.
The record data contains the NT error code that caused the failure.
Windows 2000 will retry the initialization until it succeeds; until
that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason
for the failure.
Data: a7 02 00 c0
This is what dcdiag /v returns:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine srvpis, is a DC.
* Connecting to directory service on server srvpis.
* Collecting site info.
* Identifying all servers.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SRVPIS
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SRVPIS passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SRVPIS
Starting test: Replications
* Replications Check
......................... SRVPIS passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=PIS,DC=local
* Security Permissions Check for
CN=Configuration,DC=PIS,DC=local
* Security Permissions Check for
DC=PIS,DC=local
......................... SRVPIS passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... SRVPIS passed test NetLogons
Starting test: Advertising
The DC SRVPIS is advertising itself as a DC and having a DS.
The DC SRVPIS is advertising as an LDAP server
The DC SRVPIS is advertising as having a writeable directory
The DC SRVPIS is advertising as a Key Distribution Center
The DC SRVPIS is advertising as a time server
The DS SRVPIS is advertising as a GC.
......................... SRVPIS passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Schema Owner, but is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Domain Owner, but is deleted.
Role PDC Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the PDC Owner, but is deleted.
Role Rid Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Rid Owner, but is deleted.
Role Infrastructure Update Owner = CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
Warning: CN="NTDS Settings
DEL:87e8397c-0635-4f21-84a1-6ce8e71ac598",CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
is the Infrastructure Update Owner, but is deleted.
......................... SRVPIS failed test
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2101 to 1073741823
Warning: FSMO Role Owner is deleted.
* srvpis.PIS.local is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID Set\
DEL:eb942680-1b6d-460a-a57b-c97ff44caf65,CN=Deleted
Objects,DC=PIS,DC=local for rid info failed with 2: Win32 Error 2
......................... SRVPIS failed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/srvpis.PIS.local/PIS.local
* SPN found :LDAP/srvpis.PIS.local
* SPN found :LDAP/SRVPIS
* SPN found :LDAP/srvpis.PIS.local/PIS
* SPN found
:LDAP/c141137b-eb05-431e-86f4-e1521a05d05a._msdcs.PIS.local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/c141137b-eb05-431e-86f4-e1521a05d05a/PIS.local
* SPN found :HOST/srvpis.PIS.local/PIS.local
* SPN found :HOST/srvpis.PIS.local
* SPN found :HOST/SRVPIS
* SPN found :HOST/srvpis.PIS.local/PIS
* SPN found :GC/srvpis.PIS.local/PIS.local
......................... SRVPIS passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... SRVPIS passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
SRVPIS is in domain DC=PIS,DC=local
Checking for CN=SRVPIS,OU=Domain Controllers,DC=PIS,DC=local
in domain DC=PIS,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SRVPIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PIS,DC=local
in domain CN=Configuration,DC=PIS,DC=local on 1 servers
Object is up-to-date on all servers.
......................... SRVPIS passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... SRVPIS passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last
15 minutes.
......................... SRVPIS passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/24/2006 08:33:30
(Event String could not be retrieved)
....
An Error Event occured. EventID: 0x0000410A
Time Generated: 02/24/2006 09:31:30
(Event String could not be retrieved)
......................... SRVPIS failed test systemlog
Running enterprise tests on : PIS.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside
the scope
provided by the command line arguments provided.
......................... PIS.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
KDC Name: \\srvpis.PIS.local
Locator Flags: 0xe00001fc
......................... PIS.local failed test FsmoCheck
When I try to add new user to domain i get the following error:
"Windows cannot create the object becouse: The directory service was
unable to allocate a relative identifier".
So I suppose it has to do with DC roles being reassigned to computer
which does not exist anymore. Maybe I should do a metadata cleanup +
set up but I'm not sure how to do that.
Heeeelp