"The Account-Identifier Allocator Failed to Initialize Properly" error in Windows Server

Applies to: Windows Server 2019Windows Server 2016Windows Server 2012 R2 More

Symptoms


You notice that an entry that resembles the following is recorded approximately every two minutes in the NTDS event log:

Event 16650
MessageId=0x410A
S
ymbolicName=SAMMSG_RID_INIT_FAILURE
Language=English

The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows Server may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.

Cause


This problem occurs because the RID Master FSMO is unavailable or fails to replicate. The domain controller cannot obtain and initialize the RID pool.

This problem may also occur if the "Access this computer from the network" user right is not granted to the appropriate groups, such as the "Enterprise Domain Controllers" or "Authenticated Users" groups.

Resolution


To troubleshoot this problem, examine the NTDS event log for more details about the replication failure.

Determine the RID Master FSMO by following the steps in the following Knowledge Base article:

234790 How To Find Servers That Hold Flexible Single Master Operations Roles

Verify network connectivity by using the ping command. For more information about how to use the ping command, see the following Docs articles:

Chapter 16 — Troubleshooting TCP/IP

NSlookup

If the RID Master is down for an extended time, follow the steps in the following Knowledge Base article:

223787 Flexible Single Master Operation Transfer and Seizure Process

To add either the "Enterprise Domain Controllers" or "Authenticated Users" group to the "Access this computer from the network" user right, follow these steps in Domain Controller Security Policy:

  1. Open the policy. To do this, click Start > Programs > Administrative Tools > Domain Controller Security Policy.
  2. Expand Security Settings, expand Local Policies, and then select User Rights Assignment.
  3. Double-click Access this computer from the networkand then add either the Everyone or Authenticated Users group to this right.

If there are multiple Windows 2000 Server domain controllers, run the following command at a command prompt to refresh this change on those policies. 

secedit /refreshpolicy machine_policy /enforce