erro 16645 BIG problem

[Guest]

HI in my company server, there is an error and i cant view the Active
Directory, and i cant up new users or groups. the error is....
The maximum account identifier allocated to this domain controller has been
assigned. The domain controller has failed to obtain a new identifier pool. A
possible reason for this is that the domain controller has been unable to
contact the master domain controller. Account creation on this controller
will fail until a new pool has been allocated. There may be network or
connectivity problems in the domain, or the master domain controller may be
offline or missing from the domain. Verify that the master domain controller
is running and connected to the domain.

 

[Ace Fekay [MVP]]

In

HI in my company server, there is an error and i cant view the Active
Directory, and i cant up new users or groups. the error is....
The maximum account identifier allocated to this domain controller
has been assigned. The domain controller has failed to obtain a new
identifier pool. A possible reason for this is that the domain
controller has been unable to contact the master domain controller.
Account creation on this controller will fail until a new pool has
been allocated. There may be network or connectivity problems in the
domain, or the master domain controller may be offline or missing
from the domain. Verify that the master domain controller is running
and connected to the domain.

That's saying it ran out of RIDs. It can be a number of issues causing this,
from DNS misconfiguration, disjointed namespace, single lable AD DNS domain
name, firewall rules blocking domain traffic between Sites from the RID
Master to a DC needing to replenish the RID pool, etc, etc.

To further help, we'll need more specific info, such as:

Can you post an unedited ipconfig /all of your DC(s), please?
How many DCs do you have?
Are they all in one Site?
Which one is the RID Master?
Can you also run:
dcdiag /v and post the results too?

Thanks

Some references:
http://support.microsoft.com/?id=839879
http://www.eventid.net/display.asp?eventid=16645&eventno=1675&source=SAM&phase=1


--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Guest]

First, thank for you help, i have this problem 2 weeks last,
and i cant show the "Domain Control security policy" but the "local
security policy" yes, the message is "You may cant appropriate right"
and the haswers is:
1-yes in all my DC server i can make ping, and IPconfig is OK in all DCs
2-i have 2 DCs servers, i make the DCPROMO (in the backup server) for remove
the Active Directory 4 week last, but the server show the error and i reboot
the server but the active directory not show, but i copy icon (direct access
icon) active directory the Master server DC and copy this icon in the
backupserver DC, and make doble click and run the active directory in
backupserver but dont synchronizes the DCs servers, i make a proves and
disconnect the backupserver DC because i think and say me... may be the
problem is the error in backupserver DC, but not the Active Directory in
Master server is equally.
3-and all (2 DCs) servers is in one site
4-Only one is the RID Master
5- Yes i can run DCdiag /v and show mw this....
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine smprod01, is a DC.
* Connecting to directory service on server smprod01.
* Collecting site info.
* Identifying all servers.
* Found 5 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SMPROD01
Starting test: Connectivity
* Active Directory LDAP Services Check
Although the Guid DNS name
(499947cf-33ec-4d0a-985e-fb91e089e675._msdcs.ids.com.mx) resolved to
the IP address (63.147.61.208), which could not be pinged, the server
name (smprod01.ids.com.mx) resolved to the IP address
(192.168.123.201) and could be pinged. Check that the IP address is
registered correctly with the DNS server.
......................... SMPROD01 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SMPROD01
Skipping all tests, because server SMPROD01 is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels

Running enterprise tests on : ids.com.mx
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... ids.com.mx passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\smprod03.ids.com.mx
Locator Flags: 0xe00001f8
Preferred Time Server Name: \\smprod01.ids.com.mx
Locator Flags: 0xe00001e5
KDC Name: \\smprod03.ids.com.mx
Locator Flags: 0xe00001f8
......................... ids.com.mx failed test FsmoCheck

C:\WINNT\MPSReports\DirSvc\Bin>

thank for you help i can your soon answers, thank

atte. Marco Venegas

 

[Ace Fekay [MVP]]

In

First, thank for you help, i have this problem 2 weeks last,
and i cant show the "Domain Control security policy" but the "local
security policy" yes, the message is "You may cant appropriate right"
and the haswers is:
1-yes in all my DC server i can make ping, and IPconfig is OK in all
DCs 2-i have 2 DCs servers, i make the DCPROMO (in the backup server)
for remove the Active Directory 4 week last, but the server show the
error and i reboot the server but the active directory not show, but
i copy icon (direct access icon) active directory the Master server
DC and copy this icon in the backupserver DC, and make doble click
and run the active directory in backupserver but dont synchronizes
the DCs servers, i make a proves and disconnect the backupserver DC
because i think and say me... may be the problem is the error in
backupserver DC, but not the Active Directory in Master server is
equally. 3-and all (2 DCs) servers is in one site
4-Only one is the RID Master
5- Yes i can run DCdiag /v and show mw this....

Marco,
Thanks for posting the dcdiag.

According to this section of the dcdiag:
=================
Domain Controller Diagnosis
* Active Directory LDAP Services Check
Although the Guid DNS name
(499947cf-33ec-4d0a-985e-fb91e089e675._msdcs.ids.com.mx) resolved
to
the IP address (63.147.61.208), which could not be pinged, the
server
name (smprod01.ids.com.mx) resolved to the IP address
(192.168.123.201) and could be pinged. Check that the IP address
is
registered correctly with the DNS server.
......................... SMPROD01 failed test Connectivity
=================

It looks like the DC has two network cards. Is this true? That can be the
cause of the whole problem. Using the wrong DNS addresses in IP properties
can also be the cause. I'll need more information please. I was looking for
the ipconfig /all, but couldn't find it in your post. That will be very
helpful.

Can you post an ipconfig /all from both DCs please?

Thanks

Ace

 

[Guest]

Thank Ace Fekay, in your las message you tell me about the IPs ands i change
the IP the DNS in the networkcard and all OK!! really thank you save my life!
only one comment for all user, when i change the IP networkcard my exchange
(install in same server) not send mail, so i change the DNS delivery in
exchange server for the IP old in the networkcard and the mails send
inmediatly.
thank for your help Ace Fekay!

 

[Ace Fekay [MVP]]

In Marco Venegas <[email protected]> made a post then I
commented below
:: Thank Ace Fekay, in your las message you tell me about the IPs ands
:: i change the IP the DNS in the networkcard and all OK!! really
:: thank you save my life! only one comment for all user, when i change
:: the IP networkcard my exchange (install in same server) not send
:: mail, so i change the DNS delivery in exchange server for the IP
:: old in the networkcard and the mails send inmediatly.
:: thank for your help Ace Fekay!
::

You are welcome Marco. If you have any other concerns, please post back.



Ace