windows - Directory Service is unable to allocate a relative identifier

24
2014-04
  • Philip

    At work, we currently have one domain controller, POLLY. This DC is the RID master. However, there used to be two other DCs, PAULA and PETTY. These are both offline (and long gone), yet they appear in POLLYs configuration. Strangely, POLLY has the same IP as PETTY.

    When I try to add a new user with Active Directory Users and Computers, I keep getting the following error message:

    Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

    This is strange, since POLLY (our only DC) is the RID master.

    Here's the output of dcdiag:

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Standardname-des-ersten-Standorts\POLLY
    Starting test: Connectivity
    ......................... POLLY passed test Connectivity

    Doing primary tests

    Testing server: Standardname-des-ersten-Standorts\POLLY
    Starting test: Replications
    REPLICATION-RECEIVED LATENCY WARNING
    POLLY: Current time is 2012-01-11 09:18:28.
    DC=ForestDnsZones,DC=europa-institut,DC=com
    Last replication recieved from PETTY at 2004-08-12 17:48:21.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    DC=DomainDnsZones,DC=europa-institut,DC=com
    Last replication recieved from PETTY at 2004-08-13 10:50:52.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    CN=Schema,CN=Configuration,DC=europa-institut,DC=com
    Last replication recieved from PETTY at 2004-08-12 17:48:20.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    Last replication recieved from PAULA at 2004-08-25 01:05:28.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    CN=Configuration,DC=europa-institut,DC=com
    Last replication recieved from PETTY at 2004-08-13 10:54:37.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    Last replication recieved from PAULA at 2004-08-25 01:05:19.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    DC=europa-institut,DC=com
    Last replication recieved from PETTY at 2004-08-13 11:04:57.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    Last replication recieved from PAULA at 2004-08-25 01:09:36.
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    ......................... POLLY passed test Replications
    Starting test: NCSecDesc
    ......................... POLLY passed test NCSecDesc
    Starting test: NetLogons
    ......................... POLLY passed test NetLogons
    Starting test: Advertising
    ......................... POLLY passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... POLLY passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... POLLY passed test RidManager
    Starting test: MachineAccount
    ......................... POLLY passed test MachineAccount
    Starting test: Services
    ......................... POLLY passed test Services
    Starting test: ObjectsReplicated
    ......................... POLLY passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... POLLY passed test frssysvol
    Starting test: frsevent
    There are warning or error events within the last 24 hours after the

    SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
    ......................... POLLY failed test frsevent
    Starting test: kccevent
    ......................... POLLY passed test kccevent
    Starting test: systemlog
    An Error Event occured. EventID: 0x40000004
    Time Generated: 01/11/2012 08:47:35
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x40000004
    Time Generated: 01/11/2012 09:05:49
    (Event String could not be retrieved)
    ......................... POLLY failed test systemlog
    Starting test: VerifyReferences
    ......................... POLLY passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : europa-institut
    Starting test: CrossRefValidation
    ......................... europa-institut passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... europa-institut passed test CheckSDRefDom

    Running enterprise tests on : europa-institut.com
    Starting test: Intersite
    ......................... europa-institut.com passed test Intersite
    Starting test: FsmoCheck
    ......................... europa-institut.com passed test FsmoCheck

    And here's the output of repadmin /showrepl:

    repadmin running command /showrepl against server localhost

    Standardname-des-ersten-Standorts\POLLY

    DC Options: IS_GC

    Site Options: (none)

    DC object GUID: 3c57a0b6-7047-4b42-a3d1-e5eed7513cbe

    DC invocationID: 5194142b-3179-4cff-b17e-77af398b8007

    What do I have to do in order to be able to add new users?

  • Answers
  • dusan.bajic

    First, make a system state data backup on your DC, just in case. Next, perform metadata cleanup to remove all traces of long gone DCs. Here is pretty good tutorial: http://www.petri.co.il/delete_failed_dcs_from_ad.htm After that, run dcdiag again and let us know if problem persists.


  • Related Question

    windows server 2008 - How do you repair active directory after a partially renamed domain controller?
  • Questioner

    I have a 2008 Server (only DC in the domain) which crashed during a rename. As a result it left the system half renamed. The computer name had been changed to DC1 but there were still many references to DC2 (the old computer name) such as in DNS and Active directory.

    As a result the Netlogon service will not start and Active directory cannot be accessed. After about 8 hours of hard work, I manged to make some progress by manualy editing DNS records and update Active Directory records using ADSIEdit.

    When i run netdiag i get the following output...

    Computer Name: DC1
    DNS Host Name: dc1.school.local
    System info : Windows Server (R) 2008 Standard (Build 6002)
    Processor : x86 Family 6 Model 15 Stepping 11, GenuineIntel
    Hotfixes : none detected
    
    Netcard queries test . . . . . . . : Passed
        [WARNING] The net card 'RAS Async Adapter' may not be working because it has not    received any packets.
    GetStats failed for 'isatap.{A9F5A39A-FD61-44C4-BE9F-1E4BD5A3B546}'. [ERROR_GEN_FAILURE]
    
    Per interface results:
    
    Adapter : Local Area Connection
    
        Netcard queries test . . . : Passed
    
        Host Name. . . . . . . . . : dc1
        IP Address . . . . . . . . : 192.168.1.3
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.1
        Dns Servers. . . . . . . . : 192.168.1.3
                                     127.0.0.1
    
    
        AutoConfiguration results. . . . . . : Passed
    
        Default gateway test . . . : Passed
    
        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
    
        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.
    
    Global results:
    
    Domain membership test . . . . . . : Passed
    
    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{A9F5A39A-FD61-44C4-BE9F-1E4BD5A3B546}
    1 NetBt transport currently configured.
    
    Autonet address test . . . . . . . : Passed
    
    IP loopback ping test. . . . . . . : Passed
    
    Default gateway test . . . . . . . : Passed
    
    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
    
    Winsock test . . . . . . . . . . . : Passed
    
    DNS test . . . . . . . . . . . . . : Failed
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL] No DNS servers have the DNS records for this DC registered.
    
    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{A9F5A39A-FD61-44C4-BE9F-1E4BD5A3B546}
    The redir is bound to 1 NetBt transport.
    
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{A9F5A39A-FD61-44C4-BE9F-1E4BD5A3B546}
    The browser is bound to 1 NetBt transport.
    
    DC discovery test. . . . . . . . . : Failed
        [FATAL] Cannot find DC in domain 'SCHOOL'. [ERROR_NO_SUCH_DOMAIN]
    
    DC list test . . . . . . . . . . . : Failed
        'SCHOOL': Cannot find DC to get DC list from [test skipped].
    
    Trust relationship test. . . . . . : Skipped
    
    Kerberos test. . . . . . . . . . . : Skipped
        'SCHOOL': Cannot find DC to get DC list from [test skipped].
    
    LDAP test. . . . . . . . . . . . . : Failed
    Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.
    
    
        [WARNING] Cannot find DC in domain 'SCHOOL'. [ERROR_NO_SUCH_DOMAIN]
    
    Bindings test. . . . . . . . . . . : Passed
    
    WAN configuration test . . . . . . : Skipped
    No active remote access connections.
    
    Modem diagnostics test . . . . . . : Passed
    
    IP Security test . . . . . . . . . : Skipped
    
    Note: run "netsh ipsec dynamic show /?" for more detailed information
    
    
    The command completed successfully
    

    and dcdiag returns....

    Domain Controller Diagnosis
    
    Performing initial setup:
        Done gathering initial info.
    
    Doing initial required tests
    
    Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
            *** Warning: could not confirm the identity of this server in
               the directory versus the names returned by DNS servers.
               If there are problems accessing this directory server then
               you may need to check that this server is correctly registered
               with DNS
         ......................... DC1 passed test Connectivity
    
    Doing primary tests
    
    Testing server: Default-First-Site-Name\DC1
      Starting test: Replications
         ......................... DC1 passed test Replications
      Starting test: NCSecDesc
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC1\netlogon)
         [DC1] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.
         ......................... DC1 failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (DC1) call failed, error 1355
         The Locator could not find the server.
         ......................... DC1 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         Failed with 8481: Win32 Error 8481
         Could not get Rid set Reference :failed with 8481: Win32 Error 8481
         ......................... DC1 failed test RidManager
      Starting test: MachineAccount
         ***Error: The server DC1 is missing its machine account.  Try running
    
         with the /repairmachineaccount option. 
         * The current DC is not in the domain controller's OU
         ......................... DC1 failed test MachineAccount
      Starting test: Services
            w32time Service is stopped on [DC1]
            NETLOGON Service is stopped on [DC1]
         ......................... DC1 failed test Services
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC1 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
    
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    
         Group Policy problems. 
         ......................... DC1 failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x800004C8
            Time Generated: 07/01/2009   09:42:01
            Event String: An attempt by the local domain controller to
    
         An Warning Event occured.  EventID: 0x800004C8
            Time Generated: 07/01/2009   09:47:01
            Event String: An attempt by the local domain controller to
    
         ......................... DC1 failed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x000015E2
            Time Generated: 07/01/2009   09:42:21
            Event String: An internal error occurred while accessing the
    
         An Error Event occured.  EventID: 0xC25A002E
            Time Generated: 07/01/2009   09:42:23
            Event String: The time service encountered an error and was
    
         An Error Event occured.  EventID: 0xC0001B6F
            Time Generated: 07/01/2009   09:43:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0001B6F
            Time Generated: 07/01/2009   09:43:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0001B72
            Time Generated: 07/01/2009   09:43:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000469
            Time Generated: 07/01/2009   09:45:00
            Event String: The processing of Group Policy failed because of
    
         An Error Event occured.  EventID: 0x00000456
            Time Generated: 07/01/2009   09:45:43
            Event String: The processing of Group Policy failed. Windows
    
         An Error Event occured.  EventID: 0xC000042B
            Time Generated: 07/01/2009   09:49:19
            Event String: The terminal server cannot register 'TERMSRV'
    
         ......................... DC1 failed test systemlog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences
    
    Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
    
    Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
    
    Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
    
    Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
    
    Running partition tests on : School
      Starting test: CrossRefValidation
         ......................... School passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... School passed test CheckSDRefDom
    
    Running enterprise tests on : School.local
      Starting test: Intersite
         ......................... School.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... School.local failed test FsmoCheck
    

    from these I am certain the problem still lies with DNS, but not sure where. Can anyone offer some advice?


  • Related Answers
  • MathewC

    Can you restore back to before you renamed and start the process over again clean?

  • drgncabe

    Wow, that's a mess.

    Ok, first I'd check FSMO roles by doing 'netdom query FSMO' and see if the old server name is the holder of any FSMO roles, if this is the case follow the instructions in the next link to seize the FSMO roles and get them under the right server name. Chances are not everything got transferred to the new name and you'll need to clean the metadata, this is done with the NTDSUTIL.

    Cleaning the metadata -> http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx

    Now, I'd run dcdiag /repairmachineaccount and see if that yeilds results, if it does it should fix the machine account and place it in the domain controllers OU.

    Then run DCDIAG and NETDIAG again and start working on the individual errors. Google the error and see if you can fix their individual causes.

    I'd look at this from the viewpoint of a failed DC that held the majority of the FSMO roles, the errors you are getting look more like the old server name holds the RID, Infrastructure and SCHEMA master even though its not showing up that way in the knowofroleholders test in dcdiag.