none
Unable to create user accounts until DC is restarted

    Question

  • We have experienced 3 times lately where we have been unable to create user objects in Active Directory.  The first two had the same errors.  I'm not sure if the third one is related or not.

    I have 4 DC's, two in each of two sites.  One of the Domain Controllers, DC1, has all the FSMO roles  They are all Windows 2012 R2, but the Domain and Forest Functional Level is at Windows 2008 R2 until later this week.  We have a single domain forest.  We have about 650-700 actual users, so even with shared and special user ID's, we probably have less that 2000 user objects.  Not a large Active Directory structure.

    While I first noticed the problem when working in Exchange, this is an AD problem.  Almost 6 weeks ago, I suddenly was unable to create a user account when trying to create an Exchange mailbox.  The error in Exchange was "Exchange couldn't find any usable connections to the Active Directory server DC1.domain."

    In the System log on DC1, there were numerous Event ID 16642 error events from Directory-Services-SAM:
    “The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.”  After finding very little about troubleshooting this error, I restarted DC1.  Once DC1 came back up, I was able to create user objects again.

    Early last week, I experienced the same thing with the same errors.  I restarted DC1 again, and again I was able to create objects normally.

    I was off last Friday, but received an email from a colleague that we were again unable to create user objects.  They restarted DC1 and were able to create users again.

    I looked through the Event logs on DC1 and did NOT find the Event ID 16642 from Directory-Services-SAM.  I did not find anything in the Application or System log that looked like an explanation for this inability to create users on Friday morning. This time, I looked at the Directory Service log and saw error Event ID 1519 repeated many times: 
    "Internal Error: Active Directory Domain Services could not perform an operation because the database has run out of version storage." 

    I saw a Microsoft blog about version storage at "https://blogs.technet.microsoft.com/askds/2016/06/14/the-version-store-called-and-theyre-all-out-of-buckets/".  This blog discussed increasing the maximum size of the version store, but it related the need for this with information that would be found in error Event ID 623.  DC1's log does not contain Event 623.

    Unfortunately, the Directory Service log went back only a few days, so I could nor look for what might have been in there during the time frame of the first two instances of being unable to create users.

    Can anyone offer me any help with what I need to do to prevent this situation from recurring?

    Thank you very much for your help with this.
    Monday, May 20, 2019 3:48 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Are all the four DCs writable DC? If so, can we create the same account on other DCs when we can not create it on DC1?

    Do we create Exchange accounts and Exchange mailbox on Exchange server(not AD domain controller)?


    Check whether DC1 works fine: run Dcdiag /v on DC1

    Check whether AD replication between all DCs is OK: run repadmin /showrepl and repadmin /showsummary on all DCs

    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 21, 2019 4:08 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 2:35 AM
    Moderator
  • Thank you for your reply.  My apologies for the delay in responding.  I was waiting a bit to see if the problem recurred so that I could better answer your second question, but the problem has not recurred yet.

    All 4 DC's are writable.  Since we are not currently experiencing the problem, I cannot address whether a user could have been created on another DC.  However since we received errors related to the RID Master the first two times we saw the problem and since DC1 has all the FSMO roles, it may be safe to assume that we could not have created a user from another DC.

    Repadmin /showrepl and Repadmin/replsummary were clean.  

    Most of the tests from DcDiag /V were passed.  The errors I did see were schannel from specific sources and transient errors.

    The errors I did see the first two times referred to a depleted identifier pool.  Is there something I need to check with the RID Master role? 

    Thank you again for your help.

    Thursday, May 23, 2019 5:52 PM
  • Hi,
    We can run the following commands to check available RID pool:

    Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"

    dcdiag /test:ridmanager /v



    We can check when we are experiencing the problem and when there is no such problem.

    For detailed steps we can refer to the following article:

    Event ID 16642 — RID Pool Request
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756707(v=ws.10)


    Other References:

    Managing RID Pool Depletion
    https://blogs.technet.microsoft.com/askds/2011/09/12/managing-rid-pool-depletion/


    RID Pool Request
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee406152(v=ws.10)



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 8:41 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 27, 2019 1:24 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
     
    Again thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 29, 2019 6:15 AM
    Moderator
  • My apologies for the delayed response.  We actually engaged Microsoft Product Support on this.  It turned out to be a third-party monitoring tool that had been installed on the DC's.  I disabled its service on and then restarted all the DC's.  We will monitor to verify that that has corrected the issue.

    Thanks very much for your help with this.

    Tuesday, June 4, 2019 11:25 AM
  • Hi,
    You are welcome. Thank you for your update and sharing. I’m very glad that the problem has been solved.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Have a nice day!

     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 5, 2019 4:30 AM
    Moderator