Event ID 16644

[Jason Hogsten]

We had a NT4 SP6 BDC that we put into our R&D area and then promoted to a
PDC. After it was promoted we upgraded the box to W2K3, and ran DCPROMO on
it. It is the first and only DC in the environment. When we try to add
another DC or any other secure accounts, we get the following error on the
PC, "exhausted pool of relative identifiers". This create an error in the
event view on the DC with an event id of 16444. Searching the web I have
found nothing on this event ID.

When I run dcdiag I get the following 2 errors:

Starting test: RidManager
The DS has corrupt data: rIDAvailablePool value is not valid
......................... AD40BDC failed test RidManager

AND

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00004104
Time Generated: 03/29/2005 01:38:41
Event String: The maximum domain account identifier value has
been reached. No further account-identifier pools
can be allocated to domain controllers in this
domain.


Any suggestions?

Thanks,
Jason Hogsten

 

[Ryan Hanisco]

Jason,

This is a problem with the RID Master. There are a finite number of RIDs
that can be allocated from the RID pool without contacting the RID master.
Once these have been exhausted, you get the error that you are reporting.

RID pools are allocated in increments of 500 and when 80% of these have been
exhausted, the RID Master is queried to allocate a new one. 2003 and
2000SP4, this was reduced to 50% to allow for better handling of rapid
allocation of RIDs in scripting and batch operations.

Verify that the RID Master is online and reachable. Also, make sure that
you have AD integrated DNS and that the server is pointing only at itself
for DNS resolution.

If neither of these works, you may have to use NTDSUTIL to seize the RID
Master role. One this is done and working correctly, you should be able to
allocate a new pool.

The only other thing I can think of is the potential that you have created
so many objects (a huge number) that you are out of RID space... but in
that case, you would expect to see a 16645 error instead.

 

[Jason Hogsten]

Ryan,

Thanks for the info. We actually figured out what was wrong yesterday.
Prepare yourself as even Microsoft said that they had only heard of this
happening 1 time in the past.

Our network is a mixed environment of Novell 5.1 (IP only) and Windows NT
currently. The process that we were hoping to take to upgrade to W2K3 was to
build up a new BDC (and let it synchronize. Take it off the network),
promote it to a PDC, then upgrade to W2K3. As I said in my first post, when
we did this we got an error with Event ID 16644. (You can see more of this
at the beginning of this post.) After talking with Microsoft and working on
this issue for a few hours we were able to determine that when new objects
are created in our NT4 environment, they have a SID ending with a number in
the 3 billion range. This is a HUGE problem as, according to Microsoft, a
32-bit OS only has the ability to support secure object ending somewhere
around the 1.7 billion mark. Since this is the case, we are unable to
perform the original migration route that we had planned. Microsoft
suggested the following, and said that this is the only one they know of.
The steps are this:

Create a new W2K3 domain

Migrate the secure accounts over to the new domain - making sure to migrate
SID history

Rename the domain - we have heard that it may not be possible to rename the
NetBIOS domain name.

We are unsure about this path yet as we have not done much research on it,
we are currently hitting the books, so to speak, to get up to speed. If
anyone has a alternative that they know of, or steps that we should avoid
please let us know. We will gladly help in anyway possible. As I get more
info, I will make sure to post as well, for future reference and for the
help of the next poor soul in this senerio.

Thanks,

Jason Hogsten

 

[Ryan Hanisco]

Jason,

This should work for you. I am not sure, however, why they are suggesting a
domain rename. This is a migration, and as such, you will be able to create
the new domain however you see fit. From there you will do the ADMTv2
migration into the new domain placing objects into the new, hierarchical AD
structure.

This is best done slowly and carefully. Do it in stages and ask if you have
any questions. Always use the test modes to do a dry run before doing the
actual migration processes -- it'll save you.

Let me know if you have questions. I have done a dozen or so larger
migrations with ADMT. Also, look at the white paper put out by intrinsic
(intrinsic.net) and the ADMT help. Both of these are the best resources out
there for ADMT.