Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

The directory service was unable to allocate a relative identifier.

1,781 views
Skip to first unread message

Daniel T. Jerome Sr.

unread,
Feb 12, 2003, 6:18:42 PM2/12/03
to
I ran a restore of an Operations Master with the TapeWare
program. Now I get a strange message that I cannot find
in the Knowledge Base when the system fails to add new
users to the Active Directory. I made sure to use the
Directory Restore Safe Mode when I was done restoring the
system files and data.

I get the following message:
Windows cannot create the object because: The directory
service was unable to allocate a relative identifier.

Please let me know if anyone out there can help.
Thanks,

Daniel T. Jerome Sr., MCSE
Senior Systems Engineer
American CompuSystems
d...@compusystem.com

Tim Hines, MCSE [MVP]

unread,
Feb 12, 2003, 6:27:47 PM2/12/03
to
That means that the RID master may be unavailable. You may want to check
your event log to see if you are getting event id 16650 in the DS event log
as mentioned in
http://support.microsoft.com/default.aspx?scid=kb;en-us;248410
Verify that you can contact a RID master. You can determine who hold the
role by typing netdom query fsmo.

How many DCs do you have?

--
Tim Hines, MCSA, MCSE (2000 & NT4)
MVP - Active Directory

"If you catch a man a fish, he eats for a day. If you teach a man to fish
he eats for a lifetime"

"Daniel T. Jerome Sr." <d...@compusystem.com> wrote in message
news:022201c2d2ed$15781ab0$8ef82ecf@TK2MSFTNGXA04...

mike hildebrand

unread,
Feb 12, 2003, 7:44:54 PM2/12/03
to
Daniel,

What SP are you at on the DC? Are you running hotfix
306133? Starting with that hotfix (which is included in
SP3), if you restore a DC, prior to initializing the RID
pool, the restored DC needs to replicate with one of its
replication partners to verify that another DC isn't
already the RID master. If you are 306133 hotfix, remove
it and re-add it to the restored DC. If you are running
SP3, bring the restored DC back on-line and allow the box
to replicate with one of its replication partners. If
this is an off-line restore, you'll need to restore a
second DC from that domain and allow the two to
replicate.

Hope this helps...

Mike Hildebrand

>.
>

Snowdog

unread,
Feb 13, 2003, 4:08:02 AM2/13/03
to
The SAM 16650 error is normal after a restore of the
system state from backup. After a restore the system will
void your existing RID pool so to make sure that
duplicate SIDS are not issued. If the RID Master is
available you should be able to get a new RID pool.

Snowdog

>.
>

Daniel T. Jerome Sr.

unread,
Feb 13, 2003, 9:41:07 AM2/13/03
to
Mike,
Thanks, for the speedy reply.

I am currently running SP3 on this server. There is no
Hotfix 306133 listed in the add/remove programs list.

This problem server (Tampa) was setup as the Operations
Master (ie first on the ADS domain). It is on the
192.168.0.0 (Tampa) subnet. There is a WatchGuard SOHO TC
firewall/router connecting it to the Internet as well as
an IPSEC tunnel to another WatchGuard SOHO TC on the
192.168.1.0 (New Port Richey [NPR])subnet. There is
another domain controller on the that (NPR) subnet.
Unfortunately they were not able to synch up for some
reason when I brought the server back online. I keep
getting strange FSMO errors on the NPR server when it
tries to talk to the other Tampa server. I tried to
promote NPR already but that won't work either.

Do you think that I might need to pickup and drive one
server over to the other location in order to get the
synch to work? I can't help but feel that there is a key
concept that I am missing with having DCs on different
private class WAN subnets.

Thanks for the Help,
Dan

Daniel T. Jerome Sr.

unread,
Feb 13, 2003, 10:44:26 AM2/13/03
to
The \\Tampa server is the Operations Master. It is the
one that I had to restore. The problem hit us out of
nowhere so I was unable to Promote the other DC. There
are two DCs. One in New Port Richey, FL (192.168.1.2) and
one in Tampa, Fl (192.168.0.1). They are connected
together via an IPSEC tunnel provided by two WatchGuard
SOHO TC 6 firewall/routers. I can access (TS) both
server remotely for maintenance from our home office in
Clearwater, FL.

I ran the netdom query fsmo command on both sides of the
VPN and both servers listed Tampa as the schema owner,
Domain role owner, PDC Role, RID pool manager, and
Infrastructure owner.

I built the two servers locally and then moved the other
one to it's New Port Richey location on the other
subnet. I installed the DNS services after I setup the
ip settings to match the NPR subnet 192.168.1.0. I feel
I might of missed something in terms of FSMO synch
between the two subnets but I am not sure because
everysthing looks alright.

There are plenty of id 16650s in the logs.

Also I can not delete non-existing DCs from the AD via
the Active Directory Users and computers applet. I get
the cannot delete the DSA object error now.

Thanks for the help,
Dan

Daniel T. Jerome Sr.

unread,
Feb 13, 2003, 10:47:57 AM2/13/03
to
Ok that sounds like a good start but here's the hitch
(there's always one)...

The Tampa server (the one which was restored) is the
Schema owner, Domain role owner, PDC role, RID Pool
manager, and Infrastructure owner.

Any thoughts on that?
Thanks,
d...@compusystem.com

>.
>

0 new messages