Remove From My Forums

Issue with Active Directory

Question

Can some one help on the below 2 errors. Its urgent

Error 1

Error 11/30/2015 4:43:00 PM Directory-Services-SAM 16645 None

Log Name:      System
Source:        Microsoft-Windows-Directory-Services-SAM
Date:          11/30/2015 4:43:00 PM
Event ID:      16645
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DSISRV.dsi.co.in
Description:
The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" EventSourceName="SAM" />
    <EventID Qualifiers="0">16645</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-30T11:13:00.000Z" />
    <EventRecordID>94780</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>DSISRV.dsi.co.in</Computer>
    <Security />
</System>
<EventData Name="SAMMSG_MAX_DC_RID">
    <Binary>A80200C0</Binary>
</EventData>
</Event>

Error 2

The DHCP service failed to see a directory server for authorization.

System

-	Provider

[ Name]

Microsoft-Windows-DHCP-Server

[ Guid]

{6D64F02C-A125-4DAC-9A01-F0555B41CA84}

[ EventSourceName]

DhcpServer

EventID

1059

[ Qualifiers]

Version

Level

Task

Opcode

Keywords

0x80000000000000

-	TimeCreated

[ SystemTime]

2015-11-30T10:53:30.000Z

EventRecordID

94748

Correlation

-	Execution

[ ProcessID]

[ ThreadID]

Channel

System

Computer

DSISRV.dsi.co.in

Security

-	EventData

dsi.co.in

0x 203a

3A200000

Binary data:

In Words

0000: 0000203A

In Bytes

0000: 3A 20 00 00 : ..

Note: AD is a is hosted in Virtual Server and DNS integrated. We had one Physical ADC which is having Physical hardware failure for past one year.

Edited by Mageshwar Monday, November 30, 2015 1:07 PM

Monday, November 30, 2015 12:48 PM

All replies

0

Sign in to vote

Hi

Event id 16645 seems to RID master is unavaible,also check the article about the event

https://technet.microsoft.com/en-us/library/cc756581%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Check with "netdom query fsmo" and check the rid master,is the server avaible,also run "dcdiag" for PDC health..

Event id 1059 seems to AD avability issue,Check the article also,

https://technet.microsoft.com/en-us/library/cc774849(v=ws.10).aspx

You need to check your PDC,and other Domain Controllers avability(network connectivity),also check the replication between your DC's with "repadmin /replsum"...

This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

Monday, November 30, 2015 1:05 PM
0

Sign in to vote
Hi Burak,

Thank for replying, Please find the link for log files.

https://drive.google.com/folderview?id=0B3a3mRJacjCRejNHZGJpUzJlVFk&usp=sharing

Note: AD is a is hosted in Virtual Server and DNS integrated. We had one Physical ADC which is having Physical hardware failure for past one year.

The strange thing here is whenever i restart the server, it starts working
- Edited by Mageshwar Monday, November 30, 2015 1:13 PM
Monday, November 30, 2015 1:10 PM
0

Sign in to vote

Hi,

Event ID 16645 means the domain controller does not have the enough rid poll. This means this local dc is not able to connect to the RID master. To check RID master run "netdom query FSMO" from command prompt. And check if the mentioned DC is able to connect to the RID master DC.

And verify RID Master is replicating with other DCs. Check the below link

https://support.microsoft.com/en-us/kb/839879

Event ID: 1059: DHCP Server is not able to connect to AD. Check the below link for more info.

https://technet.microsoft.com/en-us/library/cc774849(v=ws.10).aspx

Also check the forum link below.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/babd49b5-da0d-4838-9fcd-2591efa17dc5/unable-to-authorize-dhcp-server-event-id-1046-1059?forum=winserverNIS

Thanks,

Arindam

Monday, November 30, 2015 1:21 PM
0

Sign in to vote

Hi

Could you please run "netdom query fsmo" and "repadmin /replsum" post the result...Seems your fsmo roles holder unavaible,

And did you do a metadata cleanup after demote this problematic dc from domain,there are records from this dc.(i guess)

This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

Monday, November 30, 2015 1:22 PM
0

Sign in to vote

Netdom command output
C:\Windows\system32>netdom query fsmo
The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

Note: The same command will list the all the 5 FSMO roles successfully after I restart the server. After few minutes the result as above.

Repadmin Command output:

Replication Summary Start Time: 2015-11-30 18:59:43

Beginning data collection for replication summary, this may take awhile:

.....

Source DSA          largest delta    fails/total %%   error

DSIAVSVR         >60 days            3 /   3 100 (1722) The RPC server is unavailable.

Destination DSA     largest delta    fails/total %%   error

DSISRV           >60 days            3 /   3 100 (1722) The RPC server is unavailable.

Experienced the following operational errors trying to retrieve replication information:

          58 - DSIAVSVR.dsi.co.in

We haven't performed metadata cleanup after ADC problem. Still all the metadata is available in the server.

Monday, November 30, 2015 1:33 PM
0

Sign in to vote

Hi

You have to seize fsmo roles to avaible dc,follow the steps on article for seize fsmo roles,

https://support.microsoft.com/en-us/kb/255504

https://technet.microsoft.com/tr-tr/library/cc816779(v=ws.10).aspx

After then you will do a metadata cleanup for completely remove this failure dc from domain

Check for metadata cleanup

https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

Monday, November 30, 2015 1:38 PM
0

Sign in to vote

But the ADC don't have any FSMO roles. All the FSMO roles are in DSISRV.DSI.CO.IN which is PDC

Monday, November 30, 2015 1:43 PM
0

Sign in to vote
58 - DSIAVSVR.dsi.co.in is your PDC,but this is unavaible(so if it is online do not seize roles)..So check the connectivity between the DC's on firewall,etc...They need to Access each other,check the necessary ports for AD DS on the article,

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Your main issue is connectivity and you need to fix that.check the network connectivity,disable firewall,AV softwares on DC,etc..

Also what is the DC OS version?seems they didnt replicate 60 days,also there is an tombstone lifetime period for Server os,check this on the link

http://blogs.msmvps.com/ulfbsimonweidner/2010/02/10/adjusting-the-tombstone-lifetime/

This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur
- Edited by Burak Uğur Monday, November 30, 2015 1:53 PM
Monday, November 30, 2015 1:50 PM
0

Sign in to vote

These are the error our server is generating.

- No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

- The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

- The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is “The requested FSMO operation failed. The current FSMO holder could not be contacted”

- The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

The strange thing here is whenever i restart the server, it starts working

Please help

Monday, November 30, 2015 1:54 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

Issue with Active Directory

Question

All replies