- Error messages that can indicate the operations master did not finish initial synchronization because of a replication failure
- Scenarios that describe some possible causes of incoming replication failure on an operations master
- How to use the Repadmin.exe utility to troubleshoot initial synchronization problems
- Partitions that must be replicated before the operations master roles can function
- Changes in initial synchronization requirements in Windows Server 2003 with Service Pack 1 (SP1)
- Effects of downtime on the operations master roles
RID masterIf the relative ID (RID) operations master cannot be contacted, and if the RID pool drops lower than the 20-to-50-percent range, the following error message is logged in the Directory Service event log: Note In the Microsoft Windows 2000 Server with Service Pack 4 (SP4), the threshold at which domain controllers start to request a new RID pool has increased to 50 percent.For more information about a similar error message that you may receive when the RID master is unavailable, click the following article number to view the article in the Microsoft Knowledge Base:
Schema masterWhen you run the adprep /forestprep command to prepare the Windows 2000 Server forest and the forest domains for the addition of Microsoft Windows Server 2003 domain controllers, the command fails. Additionally, the Adprep.log contains the following error message:
Domain naming masterWhen you try to add a new child domain or a new tree to the forest, you may receive the following error message:
The current role resides on a domain controller whose Microsoft Windows NT Directory Service (NTDS) settings object has been deleted from Active Directory
CauseThis scenario may occur because of one of the following reasons:
- You either use the Active Directory Sites and Services snap-in, the Ntdsutil.exe utility, or a similar utility to delete the NTDS-DSA object from the Active Directory of a domain controller. However, you do not transfer the operations master role of the domain controller to another domain controller in the domain or the forest.
- You use the dcpromo /forceremoval command to forcefully remove Active Directory from a domain controller that holds an operations master role. For more information about the dcpromo /forceremoval command, click the following article number to view the article in the Microsoft Knowledge Base:332199 Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
- You try to use the Active Directory Installation Wizard to gracefully remove Active Directory from an operations master domain controller. However, the locally-held operations master roles do not transfer to existing domain controllers in the domain or in the forest.
ResolutionIn all these cases, you must seize operations master roles or transfer operations master roles to an existing domain controller. For more information about seizing or transferring operations master roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:
The domain controller that holds the operations master role contains references to domain controllers that are no longer running Active Directory
CauseIn this scenario, the domain controllers that are no longer running Active Directory still have metadata.
ResolutionTo resolve this problem, remove the metadata from offline domain controllers that host the partition. You can do this if the domain controllers are no longer active in the forest and are therefore useless. After you remove the metadata from the domain controllers that are no longer running Active Directory, restart the current operations master role holder. For more information about how to remove metadata for an offline domain controller, click the following article number to view the article in the Microsoft Knowledge Base:
Replication fails on the directory partition that holds the operations master role
ResolutionIn this scenario, you must resolve the Active Directory replication failure because this failure prevents the operations master role holder from replicating the operations master partition. You must do this by using an existing partition from another domain controller.
Such replication problems can be caused by the following failures:
- Connectivity failures
- Authentication failures
- Replication engine failures
The replication partner for an operations master role partition resides in a remote Active Directory site
CauseIn this scenario, the operations master resides in a different Active Directory site than other domain controllers that replicate the operations master roles partition.
ResolutionTo resolve this problem, take one of the following actions:
- Wait until the replication schedule opens
- Force incoming replication to the current operations master from a domain controller that contains a copy of that partition
The domain controller is started on an isolated network and cannot replicate because there is no network connectivityNote A network is "isolated" if the domain controller that holds an operations master role has no network cable attached. A network is also "isolated" if the domain controller is on a test network or on a lab network without network access to partner domain controllers.
CauseIn this scenario, the domain controller that is started on an isolated network that has domain controllers in its domain or in its forest cannot replicate because there is no network connectivity.
ResolutionTo resolve this problem, add a domain controller to the domain. Then, when the domain controller that holds the operations master roles starts, the domain controller can replicate the necessary domain partitions or the necessary forest-wide partitions.
Note For Windows Server 2003 domain controllers that are in an isolated network, you can use the Ntdsutil.exe utility to seize the operations master role. We recommend that you try this self-seizure operation only as a last resort after you verify that each operations master role in the forest has a unique holder. For more information about how to use the Ntdsutil.exe utility, click the following article numbers to view the articles in the Microsoft Knowledge Base:
The Windows 2000 Server RID master is transferred to another domain controller and Windows cannot create the object
CauseIn this scenario, the Windows 2000 Server RID master crashes and is then restored from a backup. Then, the RID master is temporarily transferred to another domain controller. Windows may report that it cannot create the object because the directory service is unable to allocate a relative identifier.
ResolutionTo resolve this problem, you must put the restored domain controller and the temporary RID master into different networks. Then, follow the steps in Microsoft Knowledge Base Article 822053 to synchronize the operations master role holders.
The Windows 2000 Server or Windows Server 2003 domain controller may report that the RID pool was corrupted and that no object can be created in the domainIn this scenario, you may receive event IDs 16650, 16647, and 16645. Additionally, if you run the dcdiag /v command, you receive the following error messages:
* Domain Controller FQDN is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1355 to 1854
* rIDNextRID: 0 The DS has corrupt data: rIDPreviousAllocationPool value is not valid * rIDPreviousAllocationPool is 0 to 0 No rids allocated -- please check eventlog. ......................... DC01 failed test RidManager
* Available RID Pool for the Domain is 3104 to 1073741823
Warning: FSMO Role Owner is deleted.
* Domain Controller FQDN is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted. ldap_search_sW of CN=RID SetDEL:5a128cf2-f365-47bc-a883-8ff9561ff545,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified. ......................... DC01 failed test RidManager
ResolutionTo resolve this problem, you must either resolve the replication problem or try to repair the corrupted RID pool-related data in the Active Directory database.For more information about this topic, click the following article number to view the article in the Microsoft Knowledge Base:
How to use the Repadmin.exe utility to troubleshoot initial synchronization problemsTo troubleshoot initial synchronization problems by using the Repadmin.exe utility, follow these steps:
- On a domain controller that holds an operations master role,locate the Repadmin.exe utility in the Microsoft Windows 2000 Support Tools.
Note The Windows 2000 Support Tools are available on the Windows 2000 Server CD. To install the Windows 2000 Support Tools, run the Setup program from the Support\Tools folder.
- Click Start, click Run, type cmd, and then press ENTER.
- At the command prompt, type repadmin /showreps.
- Examine the output and determine whether the domain controller has successfully replicated since the last restart. If you see any errors, try to resolve the replication problems by using the relevant replication partners, and then wait for the replication to finish.
Each domain controller must successfully replicate the schema partitions, the domain partitions, and the configuration partitions.
Warning The repadmin /delete command has the potential to break your Active Directory installation. Therefore, we highly recommend that you use the repadmin /delete command only under the expert guidance of Microsoft Product Support Services. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site: For more information about how to use the Repadmin.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
In Windows Server 2003, Windows 2000 Server Service Pack 3 (SP3), and later versions of Windows 2000 Server, the domain controllers that host operations master roles have a responsibility. This responsibility is to successfully replicate incoming changes on the directory partition that replicates and maintains the state of the operations master role. Successful replication must occur before operations that depend on the operations master can be performed. This replication occurs to make sure that the operations master is up to date with any changes to the attribute that holds the information about the current operations master holder. For example, if the attribute changes when the operations master is offline, the attribute will relinquish ownership of the operations master. If the attribute continues to point to the local domain controller, the attribute will start to act as the role holder.
When this occurs, Windows Server 2003-based domain controllers log the following event:
Where the operations master role holder information is savedThe following table shows that a domain controller that hosts operations master roles must successfully replicate the partition before the operations master roles can function.
|Role||Partition that must replicate for role to become active||Operation performed|
|Domain naming||Configuration||Add or remove a domain or an application partition.|
|Infrastructure||Domain partition in the domain of the operations master role holder||Introduce changes that were made by using the Windows Server 2003 adprep /domainprep command.|
|Relative ID (RID)||Domain partition in the domain of the operations master role holder||Install Active Directory on the member server.|
|Schema||Schema||Introduce schema changes in the Active Directory Schema snap-in, in the adprep /forestprep command, or in Active Directory-aware applications.|
- The RID master role performs incoming replication for the writeable Contoso.com domain partition with DC2 or with another domain controller in the Contoso.com domain.
- You remove references to domain controllers that host writeable copies of the Contoso.com domain partition from the forest.
Note A domain controller does not have to satisfy the initial synchronization requirement if that domain controller meets the following criteria:
- The domain controller that holds an operations master role resides in a partition.
- The domain controller does not have replication partners. For example, the domain controller is in the domain or in the forest-wide operation scope of the operations master role and therefore does not have partners.
Changes in initial synchronization requirements in Windows Server 2003 with Service Pack 1 (SP1)
The original release version of Windows Server 2003When you restart a domain controller that is an operations master role holder, the domain controller will only try to replicate with other domain controllers that are in the same site. If an appropriate source domain controller is in the same Active Directory site as the holder, the initial synchronization requirement is typically satisfied after the operating system is started. Because the requirement is satisfied, the operations that depend on the operations master role occur immediately. Delays may occur if the only appropriate source domain controller is in a remote site. Replication will not occur until the schedule opens on the site link or on the connection object. Any operation that requires access to either the schema master role, the domain naming master role, or the RID master role does not function until incoming replication occurs from a writeable source domain controller.
Windows Server 2003 with SP1If a domain controller that is an operations master role holder is restarted, it will try to perform initial synchronization with all its existing partners until a successful synchronization occurs. The partner is selected at random for the synchronization from all replication partners that the domain controller has for each naming context that the domain controller hosts. No preference is given to intrasite replication partners. The domain controller tries each partner until replication is successful.
When the operations master roles are temporarily offlineAll operations master roles can sustain some downtime. This means that you do not have to seize the operations master roles if the computer must be taken offline temporarily. Each operations master role sustains downtime in a unique way.
Schema masterDo not bring the schema operations master role back unless you want to change the schema before the schema operations master role holder comes back through a repair or restore.
Domain naming masterThe domain naming operations master role is required when you want to add or remove a naming context in the forest. You have to seize this role if a repair or restore does not bring the role back online before you add or remove a naming context in the forest.
Infrastructure masterThe infrastructure operations master role runs tasks in the background. If this computer is not brought online for several days, and no major account changes are made in the forest, this computer can easily make the changes when you bring it back online.
For more information about how to initiate Active Directory replication, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about FSMO role holder Initial Synchronization, click the following article number to view the article in the Microsoft Knowledge Base: