|
web
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Event ID 16644PDC. After it was promoted we upgraded the box to W2K3, and ran DCPROMO on it. It is the first and only DC in the environment. When we try to add another DC or any other secure accounts, we get the following error on the PC, "exhausted pool of relative identifiers". This create an error in the event view on the DC with an event id of 16444. Searching the web I have found nothing on this event ID. When I run dcdiag I get the following 2 errors: Starting test: RidManager The DS has corrupt data: rIDAvailablePool value is not valid ......................... AD40BDC failed test RidManager AND Starting test: systemlog * The System Event log test An Error Event occured. EventID: 0x00004104 Time Generated: 03/29/2005 01:38:41 Event String: The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain. Any suggestions? Thanks, Jason Hogsten Jason,
This is a problem with the RID Master. There are a finite number of RIDs that can be allocated from the RID pool without contacting the RID master. Once these have been exhausted, you get the error that you are reporting. RID pools are allocated in increments of 500 and when 80% of these have been exhausted, the RID Master is queried to allocate a new one. 2003 and 2000SP4, this was reduced to 50% to allow for better handling of rapid allocation of RIDs in scripting and batch operations. Verify that the RID Master is online and reachable. Also, make sure that you have AD integrated DNS and that the server is pointing only at itself for DNS resolution. If neither of these works, you may have to use NTDSUTIL to seize the RID Master role. One this is done and working correctly, you should be able to allocate a new pool. The only other thing I can think of is the potential that you have created so many objects (a huge number) that you are out of RID space... but in that case, you would expect to see a 16645 error instead. -- Show quoteHide quoteRyan Hanisco MCSE, MCDBA FlagShip Integration Services Chicago, IL "Jason Hogsten" <jason.hogs***@woolpert.com> wrote in message news:u0S84nUNFHA.244@TK2MSFTNGP12.phx.gbl... > We had a NT4 SP6 BDC that we put into our R&D area and then promoted to a > PDC. After it was promoted we upgraded the box to W2K3, and ran DCPROMO > on > it. It is the first and only DC in the environment. When we try to add > another DC or any other secure accounts, we get the following error on the > PC, "exhausted pool of relative identifiers". This create an error in the > event view on the DC with an event id of 16444. Searching the web I have > found nothing on this event ID. > > When I run dcdiag I get the following 2 errors: > > Starting test: RidManager > The DS has corrupt data: rIDAvailablePool value is not valid > ......................... AD40BDC failed test RidManager > > AND > > Starting test: systemlog > * The System Event log test > An Error Event occured. EventID: 0x00004104 > Time Generated: 03/29/2005 01:38:41 > Event String: The maximum domain account identifier value has > been reached. No further account-identifier pools > can be allocated to domain controllers in this > domain. > > > Any suggestions? > > Thanks, > Jason Hogsten > > Ryan,
Thanks for the info. We actually figured out what was wrong yesterday. Prepare yourself as even Microsoft said that they had only heard of this happening 1 time in the past. Our network is a mixed environment of Novell 5.1 (IP only) and Windows NT currently. The process that we were hoping to take to upgrade to W2K3 was to build up a new BDC (and let it synchronize. Take it off the network), promote it to a PDC, then upgrade to W2K3. As I said in my first post, when we did this we got an error with Event ID 16644. (You can see more of this at the beginning of this post.) After talking with Microsoft and working on this issue for a few hours we were able to determine that when new objects are created in our NT4 environment, they have a SID ending with a number in the 3 billion range. This is a HUGE problem as, according to Microsoft, a 32-bit OS only has the ability to support secure object ending somewhere around the 1.7 billion mark. Since this is the case, we are unable to perform the original migration route that we had planned. Microsoft suggested the following, and said that this is the only one they know of. The steps are this: Create a new W2K3 domain Migrate the secure accounts over to the new domain - making sure to migrate SID history Rename the domain - we have heard that it may not be possible to rename the NetBIOS domain name. We are unsure about this path yet as we have not done much research on it, we are currently hitting the books, so to speak, to get up to speed. If anyone has a alternative that they know of, or steps that we should avoid please let us know. We will gladly help in anyway possible. As I get more info, I will make sure to post as well, for future reference and for the help of the next poor soul in this senerio. Thanks, Jason Hogsten Show quoteHide quote "Ryan Hanisco" <rhani***@flagshipis.com> wrote in message news:uVF%2396XNFHA.508@TK2MSFTNGP12.phx.gbl... > Jason, > > This is a problem with the RID Master. There are a finite number of RIDs > that can be allocated from the RID pool without contacting the RID master. > Once these have been exhausted, you get the error that you are reporting. > > RID pools are allocated in increments of 500 and when 80% of these have been > exhausted, the RID Master is queried to allocate a new one. 2003 and > 2000SP4, this was reduced to 50% to allow for better handling of rapid > allocation of RIDs in scripting and batch operations. > > Verify that the RID Master is online and reachable. Also, make sure that > you have AD integrated DNS and that the server is pointing only at itself > for DNS resolution. > > If neither of these works, you may have to use NTDSUTIL to seize the RID > Master role. One this is done and working correctly, you should be able to > allocate a new pool. > > The only other thing I can think of is the potential that you have created > so many objects (a huge number) that you are out of RID space... but in > that case, you would expect to see a 16645 error instead. > > -- > Ryan Hanisco > MCSE, MCDBA > FlagShip Integration Services > Chicago, IL > > "Jason Hogsten" <jason.hogs***@woolpert.com> wrote in message > news:u0S84nUNFHA.244@TK2MSFTNGP12.phx.gbl... > > We had a NT4 SP6 BDC that we put into our R&D area and then promoted to a > > PDC. After it was promoted we upgraded the box to W2K3, and ran DCPROMO > > on > > it. It is the first and only DC in the environment. When we try to add > > another DC or any other secure accounts, we get the following error on the > > PC, "exhausted pool of relative identifiers". This create an error in the > > event view on the DC with an event id of 16444. Searching the web I have > > found nothing on this event ID. > > > > When I run dcdiag I get the following 2 errors: > > > > Starting test: RidManager > > The DS has corrupt data: rIDAvailablePool value is not valid > > ......................... AD40BDC failed test RidManager > > > > AND > > > > Starting test: systemlog > > * The System Event log test > > An Error Event occured. EventID: 0x00004104 > > Time Generated: 03/29/2005 01:38:41 > > Event String: The maximum domain account identifier value has > > been reached. No further account-identifier pools > > can be allocated to domain controllers in this > > domain. > > > > > > Any suggestions? > > > > Thanks, > > Jason Hogsten > > > > > > Jason,
This should work for you. I am not sure, however, why they are suggesting a domain rename. This is a migration, and as such, you will be able to create the new domain however you see fit. From there you will do the ADMTv2 migration into the new domain placing objects into the new, hierarchical AD structure. This is best done slowly and carefully. Do it in stages and ask if you have any questions. Always use the test modes to do a dry run before doing the actual migration processes -- it'll save you. Let me know if you have questions. I have done a dozen or so larger migrations with ADMT. Also, look at the white paper put out by intrinsic (intrinsic.net) and the ADMT help. Both of these are the best resources out there for ADMT. -- Show quoteHide quoteRyan Hanisco MCSE, MCDBA FlagShip Integration Services Chicago, IL "Jason Hogsten" <jason.hogs***@woolpert.com> wrote in message news:euW37WfNFHA.4052@TK2MSFTNGP12.phx.gbl... > Ryan, > > Thanks for the info. We actually figured out what was wrong yesterday. > Prepare yourself as even Microsoft said that they had only heard of this > happening 1 time in the past. > > Our network is a mixed environment of Novell 5.1 (IP only) and Windows NT > currently. The process that we were hoping to take to upgrade to W2K3 was > to > build up a new BDC (and let it synchronize. Take it off the network), > promote it to a PDC, then upgrade to W2K3. As I said in my first post, > when > we did this we got an error with Event ID 16644. (You can see more of this > at the beginning of this post.) After talking with Microsoft and working > on > this issue for a few hours we were able to determine that when new objects > are created in our NT4 environment, they have a SID ending with a number > in > the 3 billion range. This is a HUGE problem as, according to Microsoft, a > 32-bit OS only has the ability to support secure object ending somewhere > around the 1.7 billion mark. Since this is the case, we are unable to > perform the original migration route that we had planned. Microsoft > suggested the following, and said that this is the only one they know of. > The steps are this: > > Create a new W2K3 domain > > Migrate the secure accounts over to the new domain - making sure to > migrate > SID history > > Rename the domain - we have heard that it may not be possible to rename > the > NetBIOS domain name. > > We are unsure about this path yet as we have not done much research on it, > we are currently hitting the books, so to speak, to get up to speed. If > anyone has a alternative that they know of, or steps that we should avoid > please let us know. We will gladly help in anyway possible. As I get more > info, I will make sure to post as well, for future reference and for the > help of the next poor soul in this senerio. > > Thanks, > > Jason Hogsten > > > > "Ryan Hanisco" <rhani***@flagshipis.com> wrote in message > news:uVF%2396XNFHA.508@TK2MSFTNGP12.phx.gbl... >> Jason, >> >> This is a problem with the RID Master. There are a finite number of RIDs >> that can be allocated from the RID pool without contacting the RID >> master. >> Once these have been exhausted, you get the error that you are reporting. >> >> RID pools are allocated in increments of 500 and when 80% of these have > been >> exhausted, the RID Master is queried to allocate a new one. 2003 and >> 2000SP4, this was reduced to 50% to allow for better handling of rapid >> allocation of RIDs in scripting and batch operations. >> >> Verify that the RID Master is online and reachable. Also, make sure that >> you have AD integrated DNS and that the server is pointing only at itself >> for DNS resolution. >> >> If neither of these works, you may have to use NTDSUTIL to seize the RID >> Master role. One this is done and working correctly, you should be able > to >> allocate a new pool. >> >> The only other thing I can think of is the potential that you have >> created >> so many objects (a huge number) that you are out of RID space... but in >> that case, you would expect to see a 16645 error instead. >> >> -- >> Ryan Hanisco >> MCSE, MCDBA >> FlagShip Integration Services >> Chicago, IL >> >> "Jason Hogsten" <jason.hogs***@woolpert.com> wrote in message >> news:u0S84nUNFHA.244@TK2MSFTNGP12.phx.gbl... >> > We had a NT4 SP6 BDC that we put into our R&D area and then promoted to > a >> > PDC. After it was promoted we upgraded the box to W2K3, and ran >> > DCPROMO >> > on >> > it. It is the first and only DC in the environment. When we try to >> > add >> > another DC or any other secure accounts, we get the following error on > the >> > PC, "exhausted pool of relative identifiers". This create an error in > the >> > event view on the DC with an event id of 16444. Searching the web I > have >> > found nothing on this event ID. >> > >> > When I run dcdiag I get the following 2 errors: >> > >> > Starting test: RidManager >> > The DS has corrupt data: rIDAvailablePool value is not valid >> > ......................... AD40BDC failed test RidManager >> > >> > AND >> > >> > Starting test: systemlog >> > * The System Event log test >> > An Error Event occured. EventID: 0x00004104 >> > Time Generated: 03/29/2005 01:38:41 >> > Event String: The maximum domain account identifier value >> > has >> > been reached. No further account-identifier pools >> > can be allocated to domain controllers in this >> > domain. >> > >> > >> > Any suggestions? >> > >> > Thanks, >> > Jason Hogsten >> > >> > >> >> > > 
Other interesting topics
External HDD Enclosure using USB question.
automatic login RDP clients cannot log on Exporting NT Users from W2K to W2K3 Add workstation to domain?? Cannot access files after removing computer from domain Local Area Connection Icon failed Chinese Characters to display/print on 2000 Terminal Server How to create a HELPDESK group? Start Windows Task Manager by command-line (or batch file) |
|||||||||||||||||||||||
