Error message: "Windows cannot create the object because the Directory Service was unable to allocate a relative identifier" (822053)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

SYMPTOMS

When you try to create a new object in Active Directory, you may receive the following error message:
Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.
When this problem occurs, the following event may be logged in the NT Directory Service (NTDS) event log: Event 16650
MessageId=0x410A
SymbolicName=SAMMSG_RID_INIT_FAILURE
Language=English
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure. This error is logged in the NTDS event log each time Windows 2000 tries to initialize the Relative ID (RID) Master. The error is logged at 1-minute intervals for the first 3 tries, and then one time every 30 minutes until the RID Master initializes.

CAUSE

This problem may occur if the domain controller that held the operations master role (also known as flexible single master operations or FSMO) of RID Master was removed from the domain and restored from backup. If the role of RID Master was forced onto another domain controller as a temporary replacement, when the original RID Master is restored and returned to the domain, it does not replicate with its direct replication partner and does not reclaim the role of RID Master.

Windows 2000 Service Pack 3 and Windows Server 2003 introduced features designed to help avoid the adverse effects of duplicate operations master roles existing in the same forest or domain. Domain controllers perform an initial synchronization at startup on each naming context hosted on a particular domain controller. A domain controller that holds the Schema Master, Domain Naming Master, RID Master, PDC emulator, or the Infrastructure Master role does not assume ownership of the role until it synchronizes with at least one neighbor for each writeable naming context.

RESOLUTION

To resolve this problem, follow these steps:
  1. Move the computer that you want to restore to a separate network that is isolated from you production network.
  2. Restore this computer from backup. Do not restart the computer when the restoration is complete.
  3. On the temporary RID Master domain controller on the production network, open a command prompt, type repadmin /showvector, and then press ENTER.
  4. Shut down the temporary RID Master domain controller, and then move it to the separate network with the restored computer.
  5. Start both computers.
  6. Use the Sites and Services Manager Snap-in to initiate replication between the two computers. To do so, follow these steps:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
    2. Expand the Sites container in the left pane, and then expand the container that represents the name of the site containing the target server that you must synchronize with its replication partners.
    3. Expand the Servers container, and then expand the target server to display the NTDS Settings object (an object that represents the settings for the domain controller).
    4. Click the NTDS Settings object. The connection objects in the right pane represent the target server's direct replication partners.
    5. Right-click a connection object in the right pane, and then click Replicate Now.

      Windows 2000 initiates replication of any changes from the source server (the server represented by the connection object) to the target server for all the directory partitions that the target server is configured to replicate from the source server.
  7. Transfer all the operations master roles back to the original role-holder.
  8. Move both computers back to the production network.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about how to determine the RID Master role holder, click the following article number to view the article in the Microsoft Knowledge Base:

234790 How to find servers that hold Flexible Single Master Operations roles

For more information about what to do if the RID Master is down for a long time, click the following article number to view the article in the Microsoft Knowledge Base:

223787 Flexible Single Master Operation transfer and seizure process

For more information about restoring the RID Master after a seizure, click the following article number to view the article in the Microsoft Knowledge Base:

316201 "Domain controller has failed to obtain a new identifier pool" error event in Windows 2000 Server S316201 and earlier

For more information about how to perform an authoritative restore to a domain controller, click the following article number to view the article in the Microsoft Knowledge Base:

241594 How to perform an authoritative restore to a domain controller in Windows 2000

For more information about FSMO placement and optimization on Windows 2000 domains, click the following article number to view the article in the Microsoft Knowledge Base:

223346 FSMO placement and optimization on Active Directory domain controllers

Modification Type:MinorLast Reviewed:2/1/2006
Keywords:kbprb KB822053 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.