Check for RID Master

M

Mark

Try to see if you have a RID Master Role which assigns the
RID Pool. If you dont, you will have to assign that role
to one of the DCs in your domain by using the NTDSUTIL
tool. No RID Pool means no RID Master. Also if you dont
have a RID Master assigning the RID Pools then you will
not be able to create SIDs which will prevent you from
creating security-enabled objects.
 
D

Dan Mellem

Mark said:
Try to see if you have a RID Master Role which assigns the
RID Pool. If you dont, you will have to assign that role
to one of the DCs in your domain by using the NTDSUTIL
tool. No RID Pool means no RID Master. Also if you dont
have a RID Master assigning the RID Pools then you will
not be able to create SIDs which will prevent you from
creating security-enabled objects.
Click to expand...

If it shows up here:
netdom query fsmo
Click to expand...
Schema owner pusd-ad.pomonausd
Domain role owner pusd-ad.pomonausd
PDC role pusd-ad.pomonausd
RID pool manager pusd-ad.pomonausd
Infrastructure owner pusd-ad.pomonausd
The command completed successfully.


Doesn't that mean the role is assigned?

Thanks,
-Dan
 
P

ptwilliams

If that machine is up and running then you have a RIDMaster. This is going
to be a DNS issue -even though you've done some thorough tests!!! DCs get
512 RIDs when they become a DC, and request another 512 when this drops
below 100. If you've run out it's probably because your DC cannot find and
therefore contact the RID master.

Check DNS again. I'm afraid I only know what BIND is and have never used
it, so my help on that front is going to be limited ;-(


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Mark said:
Try to see if you have a RID Master Role which assigns the
RID Pool. If you dont, you will have to assign that role
to one of the DCs in your domain by using the NTDSUTIL
tool. No RID Pool means no RID Master. Also if you dont
have a RID Master assigning the RID Pools then you will
not be able to create SIDs which will prevent you from
creating security-enabled objects.
Click to expand...

If it shows up here:
netdom query fsmo
Click to expand...
Schema owner pusd-ad.pomonausd
Domain role owner pusd-ad.pomonausd
PDC role pusd-ad.pomonausd
RID pool manager pusd-ad.pomonausd
Infrastructure owner pusd-ad.pomonausd
The command completed successfully.


Doesn't that mean the role is assigned?

Thanks,
-Dan
 
D

Dan Mellem

ptwilliams said:
If that machine is up and running then you have a RIDMaster. This is going
to be a DNS issue -even though you've done some thorough tests!!! DCs get
512 RIDs when they become a DC, and request another 512 when this drops
below 100. If you've run out it's probably because your DC cannot find and
therefore contact the RID master.

Check DNS again. I'm afraid I only know what BIND is and have never used
it, so my help on that front is going to be limited ;-(
Click to expand...
Thanks. That's where I'm leaning but not familiar with the MS version of
DNS or how exactly the DCs find the RIDMaster.

-Dan
 
P

ptwilliams

All 'non-standard' lookups, i.e. any type of lookup that isn't a flat
hostname (or CNAME) to IP is done through the SRV records. DCs, GCs, etc.
are located through the _ldap, _gc, etc. SRV zones.

I've not yet read exactly how the FSMO roles are located -I assume each DC
carries an attribute with that info. on.

Are you experiencing any replication issues? Are your clients able to find
a DC (nltest /dsgetdc:yourDomain.com)? Are they able to ascertain their
correct site (nltest /dsgetsite)?


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________
ptwilliams said:
If that machine is up and running then you have a RIDMaster. This is going
to be a DNS issue -even though you've done some thorough tests!!! DCs get
512 RIDs when they become a DC, and request another 512 when this drops
below 100. If you've run out it's probably because your DC cannot find and
therefore contact the RID master.

Check DNS again. I'm afraid I only know what BIND is and have never used
it, so my help on that front is going to be limited ;-(
Click to expand...
Thanks. That's where I'm leaning but not familiar with the MS version of
DNS or how exactly the DCs find the RIDMaster.

-Dan
 
D

Dan Mellem

ptwilliams said:
All 'non-standard' lookups, i.e. any type of lookup that isn't a flat
hostname (or CNAME) to IP is done through the SRV records. DCs, GCs, etc.
are located through the _ldap, _gc, etc. SRV zones.

I've not yet read exactly how the FSMO roles are located -I assume each DC
carries an attribute with that info. on.

Are you experiencing any replication issues? Are your clients able to find
a DC (nltest /dsgetdc:yourDomain.com)? Are they able to ascertain their
correct site (nltest /dsgetsite)?
Click to expand...

No, no replication problems. In fact, when I moved all the FSMO roles
and the GC to a different DC we were again able to create accounts.
Someone suggested corrupt metadata or an old replicating DC that was
offline. We did have a computer that used to be a BDC (under NT4) that
had died in January so I deleted that from the directory as well.

Thanks,
-Dan
 
P

ptwilliams

I notice that you're involved in a discussion with Ace re. a single-label
domain name. I guess that explains a few things. I'll leave this thread be
then. ;-)


--


Paul Williams
_______________________________
http://www.msresource.net


Join us in our free, public forum:
http://forums.msresource.net
_______________________________
ptwilliams said:
All 'non-standard' lookups, i.e. any type of lookup that isn't a flat
hostname (or CNAME) to IP is done through the SRV records. DCs, GCs, etc.
are located through the _ldap, _gc, etc. SRV zones.

I've not yet read exactly how the FSMO roles are located -I assume each DC
carries an attribute with that info. on.

Are you experiencing any replication issues? Are your clients able to
find
a DC (nltest /dsgetdc:yourDomain.com)? Are they able to ascertain their
correct site (nltest /dsgetsite)?
Click to expand...

No, no replication problems. In fact, when I moved all the FSMO roles
and the GC to a different DC we were again able to create accounts.
Someone suggested corrupt metadata or an old replicating DC that was
offline. We did have a computer that used to be a BDC (under NT4) that
had died in January so I deleted that from the directory as well.

Thanks,
-Dan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

RID Pool Running Out Of RIDs? 4
RID pool problem 3
Seizing the Schema Owner and Domain Role Owner Roles 4
RID operations master failure 1
rid master during admt 1
AD Restore Failure - RID Master Issues 2
Unable to allocate rids from pool 1
RID Master: "Next rid pool not allocated" DNS problem 6

Top