RID set is in the wrong DC in ADSIEDIT

[Kim Stutsman]

Had to rebuild main DC, we will cal that PDC, had another
DC that was replicating, we will call that BDC. Anyhow
once the PDC was back online, did a DCPROMO, it took all
the roles back or so it would appear, however keep getting
16650 error, "account-identifier allocator failed". I
have determined by using ADSIEDIT, that there is only one
entry for RID set and that is under the BDC, however when
you check through AD Users and Computers, it showes the
PDC is RID Master on both DC's. Have done lots of reading
including the MS KB articles and they recommend if the
entry is not under the correct DC, to DCPROMO or remove
from AD and the DCPROMO again and that should fix it. No
luck still under wrong DC and it will not let me move it
and I do not want to delete it. If I remove it from AD and
then rejoin it I am concerned I will have even more
problems. Any help would be great.

 

[Herb Martin]

Had to rebuild main DC, we will cal that PDC, had another
DC that was replicating, we will call that BDC.

Bad practice since these are not the proper terms and lead to
confusion with the real meaning of these terms used for other
(types) of devices.

Anyhow
once the PDC was back online, did a DCPROMO, it took all
the roles back or so it would appear,

That makes no sense since there is NO "DCPromo" of an existing
DC. It it came back online as a DC then it would still hold those
roles it held when it went offline.

Unless of course, you DCPromo'd it before taking it offline in
which case it would NOT be a DC when it came online.

Merely doing a DCPromo at that point would NOT take any roles.

There is a good chance (although it is unclear what you actually
did) that you have multiple DCs who think they own the master
roles and the ONLY CERTAIN cure for that is to again DCPromo
one (the latter) and cycle it to straighten out the confusion.

however keep getting
16650 error, "account-identifier allocator failed". I
have determined by using ADSIEDIT, that there is only one
entry for RID set and that is under the BDC, however when
you check through AD Users and Computers, it showes the
PDC is RID Master on both DC's.

Yes, this is as I guess above. You have two DCs now confused.

Pick one -- the most likely reliable and correct one -- move any
missing roles there and ensure it is a GC then DCPromo
(cycle) the other.

Have done lots of reading
including the MS KB articles and they recommend if the
entry is not under the correct DC, to DCPROMO or remove
from AD and the DCPROMO again and that should fix it.
Yes.

No
luck still under wrong DC and it will not let me move it
and I do not want to delete it. If I remove it from AD and
then rejoin it I am concerned I will have even more
problems.

No it will have less. After DCPromo'ing it to Server, remove
any ghost DC account it leaves from AD using the NTDSUTIL
(or other tool).

Seize any missing roles on the WORKING DC.

Then you can safely DCPromo it back to DC and it will copy
a consistent AD database from the now consistent existing DC.

Any help would be great.

NEVER SEIZE roles under normal conditions -- even though
you may need to do that now to get out of the mess.

 

[Kim Stutsman]

Maybe I was not clear and for that I appologize. My DC
that held all of the roles, had to be rebuilt due to Hard
Drive failure. The DC was holding all of the roles, I did
nothing with the Roles, just reloaded, named the server
the same, ran DCPROMO to have the DC replicate AD
information. I did not say I did it right, I was just
trying to find some advise on how to fix it now. In
ADSIEDIT, the container under the DC that does not hold
the roles is the only place there is an entry for RID set,
I just need to find out how to get it moved or if I can
just delete it and DCPROMO (Remove from AD) my DC that
thinks it is holding the roles, and then DCPROMO again?
Again thanks for any help I can get, I am not dumb I just
do not know how to resolve this.

 

[Herb Martin]

Maybe I was not clear and for that I appologize. My DC
that held all of the roles, had to be rebuilt due to Hard
Drive failure. The DC was holding all of the roles, I did
nothing with the Roles, just reloaded, named the server
the same, ran DCPROMO to have the DC replicate AD
information.

So likely DCPromo didn't really set the roles (not sure about
that) ON THE DC, but the AD says that it still holds them due
to the same name.

I did not say I did it right, I was just
trying to find some advise on how to fix it now. In
ADSIEDIT, the container under the DC that does not hold
the roles is the only place there is an entry for RID set,
I just need to find out how to get it moved or if I can
just delete it and DCPROMO (Remove from AD) my DC that
thinks it is holding the roles, and then DCPROMO again?

That's what I believe to be the best course. Pick one DC, transfer
all roles to it (and make it a GC). DCPromo the other (non-DC).

Make sure you DNS is correct.

Remove any ghost objects from the now-non-DC from AD
(NTDSUtil "metadata cleanup").

Re-DCPromo the non-DC back to DC.

Should be fine.


--
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

 

[ptwilliams]

Just in case you want to know how to follow Herb's excellent advise, here's
the instructions on how to clean-up the AD of the old DC account:

-- http://support.microsoft.com/default.aspx?kbid=216498


And while I'm providing you with links, here's a little info. on the FSMO
roles that I wrote. It gives you an introduction to the roles and tells you
how to move them properly (it's too late for that in your case) via the GUI
and also provides links to the necessary MS KBs on seizing, and moving via
the command-line, etc.

-- http://www.msresource.net/kb/fsmoroles.html
-- http://www.msresource.net/kb/moveFSMOroles.html


Hope some of this info. is helpful...


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________

Maybe I was not clear and for that I appologize. My DC
that held all of the roles, had to be rebuilt due to Hard
Drive failure. The DC was holding all of the roles, I did
nothing with the Roles, just reloaded, named the server
the same, ran DCPROMO to have the DC replicate AD
information.

So likely DCPromo didn't really set the roles (not sure about
that) ON THE DC, but the AD says that it still holds them due
to the same name.

I did not say I did it right, I was just
trying to find some advise on how to fix it now. In
ADSIEDIT, the container under the DC that does not hold
the roles is the only place there is an entry for RID set,
I just need to find out how to get it moved or if I can
just delete it and DCPROMO (Remove from AD) my DC that
thinks it is holding the roles, and then DCPROMO again?

That's what I believe to be the best course. Pick one DC, transfer
all roles to it (and make it a GC). DCPromo the other (non-DC).

Make sure you DNS is correct.

Remove any ghost objects from the now-non-DC from AD
(NTDSUtil "metadata cleanup").

Re-DCPromo the non-DC back to DC.

Should be fine.


--
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.