locked
Issue with Active Directory RRS feed

  • Question

  • Can some one help on the below 2 errors. Its urgent

    Error 1

    Error    11/30/2015 4:43:00 PM    Directory-Services-SAM    16645    None

    Log Name:      System
    Source:        Microsoft-Windows-Directory-Services-SAM
    Date:          11/30/2015 4:43:00 PM
    Event ID:      16645
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      DSISRV.dsi.co.in
    Description:
    The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" EventSourceName="SAM" />
        <EventID Qualifiers="0">16645</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2015-11-30T11:13:00.000Z" />
        <EventRecordID>94780</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>DSISRV.dsi.co.in</Computer>
        <Security />
      </System>
      <EventData Name="SAMMSG_MAX_DC_RID">
        <Binary>A80200C0</Binary>
      </EventData>
    </Event>

    Error 2

    The DHCP service failed to see a directory server for authorization.




    System

    - Provider
    [ Name] Microsoft-Windows-DHCP-Server
    [ Guid] {6D64F02C-A125-4DAC-9A01-F0555B41CA84}
    [ EventSourceName] DhcpServer
    - EventID 1059
    [ Qualifiers] 0
    Version 0
    Level 2
    Task 0
    Opcode 0
    Keywords 0x80000000000000
    - TimeCreated
    [ SystemTime] 2015-11-30T10:53:30.000Z
    EventRecordID 94748
    Correlation
    - Execution
    [ ProcessID] 0
    [ ThreadID] 0
    Channel System
    Computer DSISRV.dsi.co.in
    Security
    - EventData
    dsi.co.in
    0x 203a
    3A200000

    Binary data:

    In Words

    0000: 0000203A

    In Bytes

    0000: 3A 20 00 00 : ..

    Note: AD is a is hosted in Virtual Server and DNS integrated. We had one Physical ADC which is having Physical hardware failure for past one year.

    • Edited by Mageshwar Monday, November 30, 2015 1:07 PM
    Monday, November 30, 2015 12:48 PM

All replies

  • Hi

     Event id 16645 seems to RID master is unavaible,also check the article about the event

    https://technet.microsoft.com/en-us/library/cc756581%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

     Check with "netdom query fsmo" and check the rid master,is the server avaible,also run "dcdiag" for PDC health..

     Event id 1059 seems to AD avability issue,Check the article also,

    https://technet.microsoft.com/en-us/library/cc774849(v=ws.10).aspx

     You need to check your PDC,and other Domain Controllers avability(network connectivity),also check the replication between your DC's with "repadmin /replsum"...

     


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, November 30, 2015 1:05 PM
  • Hi Burak,

    Thank for replying, Please find the link for log files.

    https://drive.google.com/folderview?id=0B3a3mRJacjCRejNHZGJpUzJlVFk&usp=sharing

    Note: AD is a is hosted in Virtual Server and DNS integrated. We had one Physical ADC which is having Physical hardware failure for past one year.

    The strange thing here is whenever i restart the server, it starts working


    • Edited by Mageshwar Monday, November 30, 2015 1:13 PM
    Monday, November 30, 2015 1:10 PM
  • Hi,

    Event ID 16645 means the domain controller does not have the enough rid poll. This means this local dc is not able to connect to the RID master. To check RID master run "netdom query FSMO" from command prompt.  And check if the mentioned DC is able to connect to the RID master DC. 

    And verify RID Master is replicating with other DCs. Check the below link 

    https://support.microsoft.com/en-us/kb/839879

    Event ID: 1059: DHCP Server is not able to connect to AD. Check the below link for more info.

    https://technet.microsoft.com/en-us/library/cc774849(v=ws.10).aspx

    Also check the forum link below.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/babd49b5-da0d-4838-9fcd-2591efa17dc5/unable-to-authorize-dhcp-server-event-id-1046-1059?forum=winserverNIS 

    Thanks,

    Arindam

    Monday, November 30, 2015 1:21 PM
  • Hi

     Could you please run "netdom query fsmo" and "repadmin /replsum" post the result...Seems your fsmo roles holder unavaible,

    And did you do a metadata cleanup after demote this problematic dc from domain,there are records from this dc.(i guess)


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, November 30, 2015 1:22 PM
  • Netdom command output
    C:\Windows\system32>netdom query fsmo
    The specified domain either does not exist or could not be contacted.

    The command failed to complete successfully.

    Note: The same command will list the all the 5 FSMO roles successfully after I restart the server. After few minutes  the result as above.

    Repadmin Command output:

    Replication Summary Start Time: 2015-11-30 18:59:43

    Beginning data collection for replication summary, this may take awhile:

      .....

    Source DSA          largest delta    fails/total %%   error

     DSIAVSVR         >60 days            3 /   3  100  (1722) The RPC server is unavailable.





    Destination DSA     largest delta    fails/total %%   error

     DSISRV           >60 days            3 /   3  100  (1722) The RPC server is unavailable.





    Experienced the following operational errors trying to retrieve replication information:

              58 - DSIAVSVR.dsi.co.in

    We haven't performed metadata cleanup after ADC problem. Still all the metadata is available in the server.

    Monday, November 30, 2015 1:33 PM
  • Hi

     You have to seize fsmo roles to avaible dc,follow the steps on article for seize fsmo roles,

    https://support.microsoft.com/en-us/kb/255504

    https://technet.microsoft.com/tr-tr/library/cc816779(v=ws.10).aspx

    After then you will do a metadata cleanup for completely remove this failure dc from domain

    Check for metadata cleanup

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, November 30, 2015 1:38 PM
  • But the ADC don't have any FSMO roles. All the FSMO roles are in DSISRV.DSI.CO.IN which is PDC

    Monday, November 30, 2015 1:43 PM
  • 58 - DSIAVSVR.dsi.co.in is your PDC,but this is unavaible(so if it is online do not seize roles)..So check the connectivity between the DC's on firewall,etc...They need to Access each other,check the necessary ports for AD DS on the article,

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    Your main issue is connectivity and you need to fix that.check the network connectivity,disable firewall,AV softwares on DC,etc..

    Also what is the DC OS version?seems they didnt replicate 60 days,also there is an tombstone lifetime period for Server os,check this on the link

    http://blogs.msmvps.com/ulfbsimonweidner/2010/02/10/adjusting-the-tombstone-lifetime/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Monday, November 30, 2015 1:53 PM
    Monday, November 30, 2015 1:50 PM
  • These are the error our server is generating.

    - No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

    - The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

    - The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is “The requested FSMO operation failed. The current FSMO holder could not be contacted”

    - The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

    The strange thing here is whenever i restart the server, it starts working

    Please help

    Monday, November 30, 2015 1:54 PM