Not able to creat user in AD and not able to join domain from client

[sony]

I have server 2000 with sp4 on it .I have two domain
controller in my network .One is a running simple
Directory services and other is my mail server.On my mail
server the dcdiag results are attched and on first domain
contoller the eeror massage are coming continuesly.Here is
the erroe massage of event log in first (PDC).In
operations masters.
Need Help to resolve the problem not able to join the
doimain with any client(Error:Windows cannot creat the
object because : the directosy service was unable to
allocate a relative identifier).Thanks in advance ....


The account-identifier allocator failed to initialize
properly. The record data contains the NT error code that
caused the failure. Windows 2000 will retry the
initialization until it succeeds; until that time, account
creation will be denied on this Domain Controller. Please
look for other SAM event logs that may indicate the exact
reason for the failure.

I am not able to join any computer to the domain and i am
not able to creat a user


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MAIL
Starting test: Connectivity
......................... MAIL passed test
Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MAIL
Starting test: Replications
......................... MAIL passed test
Replications
Starting test: NCSecDesc
......................... MAIL passed test
NCSecDesc
Starting test: NetLogons
......................... MAIL passed test
NetLogons
Starting test: Advertising
......................... MAIL passed test
Advertising
Starting test: KnowsOfRoleHolders
Warning: CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=TOOK,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp is
the Schema Owner, bu
t is deleted.
Warning: CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=TOOK,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp is
the PDC Owner, but i
s deleted.
Warning: CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=TOOK,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp is
the Rid Owner, but i
s deleted.
Warning: CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=TOOK,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp is
the Infrastructure U
pdate Owner, but is deleted.
......................... MAIL failed test
KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
......................... MAIL passed test
RidManager
Starting test: MachineAccount
......................... MAIL passed test
MachineAccount
Starting test: Services
......................... MAIL passed test
Services
Starting test: ObjectsReplicated
......................... MAIL passed test
ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System,
SYSVOL started.
The Active Directory may be prevented from
starting.
......................... MAIL passed test
frssysvol
Starting test: kccevent
......................... MAIL passed test
kccevent
Starting test: systemlog
......................... MAIL passed test
systemlog

Running enterprise tests on : tooknyc.corp
Starting test: Intersite
......................... tooknyc.corp passed
test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed,
error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... tooknyc.corp failed
test FsmoCheck
..

 

[Guest]

Have you looked at the following KB

http://support.microsoft.com/default.aspx?scid=kb;en-us;24841

Thanks

 

[Guest]

thanx Umit for esponding.I tried to ranfer FSmo roles to
other dc But still the problem is there.It is very
crucial.I have to join new cleits to the domian but not
able to .Can u give some glue it will be great.

Sony

 

[Guest]

hI uMIT I GOT A CLUE THAT DOMAIN CONTROLLER SECURITY
POLICY IS NOT ACCESSABLE .iT GIVES THE ERROR THAT EITHER
DONOT HAVE RIGHTS OR NO DOMAIN CONTROLLER EXIST.dO U HAVE
CLUE

tHANX

 

[Guest]

Can you include the error code in the audit above?

Also, can you run the tool located at;

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp

against your domain controller and send the output?

I think either your rid pool is corrupted or your domain controller doesn't have RID Master FSMO role for some reason.

As a temporary workaround to join machines, following might work (see disclaimer below);
Unjoin a machine that's no longer needed and shut it down (or find a machine account that's no longer used)
Rename the machine you want to join to the domain to the name of the machine above.
Join the machine to the domain
Rename the machine again to the name you want the machine to be called.

These steps will use already existing account hence should not need to create a new account.

I hope this helps

Umit AKKUS

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tim Hines [MSFT]]

Here is a reply from earlier that you may have missed

Make sure that you have transferred the RID master role to mail first. Once
that is done you need to delete any old replication links to Took. The
repadmin /delete command will do this. The rid pool on this DC cannot be
initialized
because it is trying to verify the rid pools on the DCs that it has
replication links to.
Take a look at the following article for more details on how to resolve the
16650.

839879 Event ID 16650: The account-identifier allocator failed to initialize
in
http://support.microsoft.com/?id=839879

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[sony]

Here i sthe ntdslutil

Output
Umit

ntdsutil: roles
fsmo maintenance: Connections
server connections: Connect to server took
Binding to took ...
Connected to took using credentials of locally logged on
user
server connections: Quit
fsmo maintenance: select Operation Target
select operation target: List roles for connected server
Server "took" knows about 5 roles
Schema - CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=took,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp
Domain - CN=NTDS Settings,CN=MAIL,CN=Servers,CN=Default-
First-Site-Name,CN=Sites
,CN=Configuration,DC=tooknyc,DC=corp
PDC - CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=took,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp
RID - CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=took,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp
Infrastructure - CN="NTDS Settings
DEL:3f99cbd8-594f-4ab8-8023-
1fd2e63375d1",CN=took,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=tooknyc,DC=corp
select operation target: Quit
fsmo maintenance: Quit
ntdsutil: Quit
Disconnecting from took ...

-----Original Message-----
Can you include the error code in the audit above?

Also, can you run the tool located at;

http://www.microsoft.com/windows2000/techinfo/reskit/tools /existing/dumpfsmos-o.asp

against your domain controller and send the output?

I think either your rid pool is corrupted or your domain

controller doesn't have RID Master FSMO role for some
reason.

As a temporary workaround to join machines, following

might work (see disclaimer below);

Unjoin a machine that's no longer needed and shut it

down (or find a machine account that's no longer used)

Rename the machine you want to join to the domain to the name of the machine above.
Join the machine to the domain
Rename the machine again to the name you want the machine to be called.

These steps will use already existing account hence

should not need to create a new account.

I hope this helps

Umit AKKUS

Disclaimer: This posting is provided "AS IS" with no

warranties, and confers no rights.