"The Account-Identifier Allocator Failed to Initialize Properly" error in Windows Server

This article also applies to Microsoft Windows 2000 Server.


You notice that an entry that resembles the following is recorded approximately every two minutes in the NTDS event log:

Event 16650

The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows Server may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.


This problem occurs because the RID Master FSMO is unavailable or fails to replicate. The domain controller cannot obtain and initialize the RID pool.

This problem may also occur if the "Access this computer from the network" user right is not granted to the appropriate groups, such as the "Enterprise Domain Controllers" or "Authenticated Users" groups.


To troubleshoot this problem, examine the NTDS event log for more details about the replication failure.

Determine the RID Master FSMO by following the steps in the following Knowledge Base article:

234790 How To Find Servers That Hold Flexible Single Master Operations Roles

Verify network connectivity by using the ping command. For more information about how to use the ping command, see the following Docs articles:

Chapter 16 — Troubleshooting TCP/IP


If the RID Master is down for an extended time, follow the steps in the following Knowledge Base article:

223787 Flexible Single Master Operation Transfer and Seizure Process

To add either the "Enterprise Domain Controllers" or "Authenticated Users" group to the "Access this computer from the network" user right, follow these steps in Domain Controller Security Policy:

  1. Open the policy. To do this, click Start > Programs > Administrative Tools > Domain Controller Security Policy.

  2. Expand Security Settings, expand Local Policies, and then select User Rights Assignment.

  3. Double-click Access this computer from the network, and then add either the Everyone or Authenticated Users group to this right.

If there are multiple Windows 2000 Server domain controllers, run the following command at a command prompt to refresh this change on those policies. 

secedit /refreshpolicy machine_policy /enforce

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.