Article ID: 839879 - View products that this article applies to.
When you try to add new users, groups, computers, mailboxes, domain controllers, or other objects to Active Directory on a Microsoft Windows Server 2003-based computer or a Windows 2000-based computer, you may receive the following error message:
When you restore a domain controller from a system state backup, the System log may contain the following error message:
Cannot create the object because directory service was unable to allocate a relative identifier.
You can also use the Dcdiag command together with the verbose switch to look for additional errors. To do this, follow these steps:
Event Type: Error
Event Source: SAM Event
Event ID: 16650
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
You may also receive other errors in the system event log that can help you to troubleshoot the problem:
Event ID: 16647
Event Source: SAM
Description: The domain controller is starting a request for a new account-identifier pool.
Event Type: Error
Event Source: SAM Event
Event ID: 16645
Description: The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
This problem occurs in one of the following scenarios:
Delete the replication links for the naming contexts in Windows 2000In Windows 2000, you can restore a second domain controller to complete initial synchronization. If you cannot restore a second domain controller, you must either perform a metadata cleanup on the non-existent domain controllers or delete the replication links to the Active Directory naming contexts. If you plan to restore the other domain controllers later, you must delete the replication links instead of performing a metadata cleanup.
Before you can delete the replication links to the Active Directory naming contexts, you must identify the objectGUID value by using the Repadmin command. To do this, follow these steps:
Remove domain controller metadata for all other domain controllers in the domainYou can restore or connect a second domain controller to complete initial synchronization. If you cannot add a second domain controller, you must either perform a metadata cleanup on the non-existent domain controllers to remove them from the domain permanently or delete the replication links to the Active Directory naming contexts.
For more information about how to remove metadata, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/216498/ )How to remove data in Active Directory after an unsuccessful domain controller demotion
Verify that Active Directory objects that are related to RID allocation are validTo verify that the Active Directory objects that are related to RID allocation are valid, follow these steps:
Verify that the RID Master is replicating with another domain controllerIf a newly promoted domain controller generates Event 16650, the domain controller may have obtained replication information from another domain controller that is not the RID Master. During promotion, the computer account for the new domain controller is modified. If these changes have not replicated to the domain controller that holds the RID master role, the request will fail when the newly promoted domain controller tries to obtain a RID pool.
To verify that the RID Master is replicating with at least one of its direct partners, follow these steps:
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/913539/ )Active Directory attributes that refer to a prefix may not be stored in the local copy of Active Directory on a computer that is running Microsoft Windows Server 2003
(http://support.microsoft.com/kb/305476/ )Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
(http://support.microsoft.com/kb/822053/ )Error message: "Windows cannot create the object because the Directory Service was unable to allocate a relative identifier"
(http://support.microsoft.com/kb/248410/ )Error message: The account-identifier allocator failed to initialize properly
Article ID: 839879 - Last Review: October 30, 2006 - Revision: 9.4
Contact us for more help
Connect with Answer Desk for expert help.