AD bogus reps showing up
Wednesday, March 08, 2006
shots
examples for repadmin /delete
Related Support Centers
• Windows 2000
• Windows Server 2003
Other Support Options
• Contact Microsoft
Phone Numbers, Support Options and Pricing, Online Help, and more.
• Customer Service
For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
• Newsgroups
Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Page Tools
Print this page
E-mail this page
Microsoft Worldwide
Save to My Support Favorites
Go to My Support Favorites
Send Feedback
Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003
View products that this article applies to.
Article ID : 839879
Last Review : December 3, 2004
Revision : 8.0
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows Registry
On This Page
SYMPTOMS
CAUSE
RESOLUTION
Delete the replication links for the naming contexts in Windows 2000
Verify that Active Directory objects that are related to RID allocation are valid
Verify that the RID Master is replicating with another domain controller
STATUS
REFERENCES
APPLIES TO
SYMPTOMS
When you try to add new users, groups, computers, mailboxes, domain controllers, or other objects to Active Directory on a Microsoft Windows Server 2003-based computer or a Windows 2000-based computer, you may receive the following error message:
Cannot create the object because directory service was unable to allocate a relative identifier.
When you restore a domain controller from a system state backup, the system log may contain the following error message:
Event Type: Error
Event Source: SAM Event
Category: None
Event ID: 16650
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
You can also use the Dcdiag command with the verbose switch to look for additional errors. To do this, follow these steps:1. Click Start, click Run, type cmd in the Open box, and then click OK.
2. At the command prompt, type DCdiag /v, and then press Enter.
When you type Dcdiag /v, you may see error messages that are similar to the following:
Starting test: RidManager
* Available RID Pool for the Domain is 2355 to 1073741823
* dc01.contoso.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1355 to 1854
* rIDNextRID: 0 The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDPreviousAllocationPool is 0 to 0 No rids allocated -- please check eventlog.
......................... DC01 failed test RidManager
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID SetDEL:cfe0828c-8842-4cb1-a642-6d9991d0516d,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified.
......................... DC01 failed test RidManager
Starting test: RidManager
* Available RID Pool for the Domain is 3104 to 1073741823
Warning: FSMO Role Owner is deleted.
* dc01.contoso.com is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID SetDEL:5a128cf2-f365-47bc-a883-8ff9561ff545,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified.
......................... DC01 failed test RidManager
Starting test: KnowsOfRoleHolders
Role Rid Owner = CN="NTDS Settings DEL:fd615439-1ebb-4652-b16f-3f8517d25593",CN=dc01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com Warning: CN="NTDS Settings DEL:fd615439-1ebb-4652-b16f-3f8517d25593",CN=dc01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com is the Rid Owner, but is deleted.
You may also receive other errors in the system event log that can help you to troubleshoot the problem:
Event ID: 16647
Event Source: SAM
Description: The domain controller is starting a request for a new account-identifier pool.
Event Type: Error
Event Source: SAM Event
Category: None
Event ID: 16645
Description: The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
Back to the top
CAUSE
This problem occurs in one of the following scenarios: • When the relative ID (RID) Master is restored from backup, it tries to synchronize with other domain controllers to verify that there are no other RID Masters online. However, the synchronization process fails if there are no domain controllers available to synchronize with, or if replication is not working. The synchronization requirement was implemented in the Windows 2000 hotfix that is described in the following Microsoft Knowledge Base article:
307725 (http://support.microsoft.com/kb/307725/) Backup and restore of RID Flexible Single-Master Operations domain controller causes duplicate SIDs
Note If the domain has always contained only one domain controller, the RID Master will not try to synchronize with other domain controllers. The domain controller has no knowledge of any other domain controllers.
• The RID pool has been exhausted, or objects in Active Directory that are related to RID allocation use incorrect values or are missing.
Back to the top
RESOLUTION
Delete the replication links for the naming contexts in Windows 2000
To bypass the initial synchronization requirements when the affected domain contains Windows Server 2003 domain controllers, transfer the RID operations role to a Windows Server 2003 domain controller and then seize the RID operations master role to the current role owner. Seizing the FSMO role back to itself on a Windows Server 2003 domain controller bypasses the initial synchronization requirements that are required to enable the RID operations master until the role holder is restarted.
Note Because of the additional checks that NTDSUTIL performs, you must perform the seizure in the Active Directory Users and Computers snap-in (Dsa.msc).
In Windows 2000, you can restore a second domain controller to complete initial synchronization. If you cannot restore a second domain controller, you must either perform a metadata cleanup on the non-existent domain controllers or delete the replication links to the Active Directory naming contexts. If you plan to restore the other domain controllers later, delete the replication links instead of performing a metadata cleanup.
Before you can delete the replication links to the Active Directory naming contexts, you must identify the objectGUID value by using the Repadmin command. To do this, follow these steps:1. Click Start, click Run, type cmd in the Open box, and then click OK.
2. At the command prompt, type repadmin /showreps. You will see output that is similar to the following:
CN=Schema,CN=Configuration,DC=contoso,DC=comDefault-First-Site-Name\DC02 via RPC objectGuid: 97c68f88-3864-4a12-9962-ca389937e237 Last attempt @ 2004-02-26 09:10.03 was successful.
CN=Configuration,DC=contoso,DC=com Default-First-Site-Name\DC02 via RPC objectGuid: 97c68f88-3864-4a12-9962-ca389937e237 Last attempt @ 2004-02-26 09:14.43 was successful.
DC=contoso,DC=com Default-First-Site-Name\DC02 via RPC objectGuid: 97c68f88-3864-4a12-9962-ca389937e237 Last attempt @ 2004-02-26 09:14.01 was successful.
3. Type repadmin /delete to delete the replication links. Specify the naming context and the objectGUID as shown in the following examples: repadmin /delete CN=Schema,CN=Configuration,DC=contoso,DC=com DC01 97c68f88-3864-4a12-9962-ca389937e237._msdcs.contoso.com /localonly
repadmin /delete CN=Configuration,DC=contoso,DC=com DC01 97c68f88-3864-4a12-9962-ca389937e237._msdcs.contoso.com /localonly
repadmin /delete DC=contoso,DC=com DC01 97c68f88-3864-4a12-9962-ca389937e237._msdcs.contoso.com /localonly
4. Restart the RID Master computer. The RID Master will initialize properly.
Back to the top
Verify that Active Directory objects that are related to RID allocation are valid
To verify that the Active Directory objects that are related to RID allocation are valid, follow these steps:1. Verify that the Everyone group has the Access this computer from the network user right. The setting can be configured in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
2. Install the Windows 2000 Support Tools. These tools are available in the support folder on the Windows 2000 and the Windows Server 2003 CD-ROMs. When you have installed these tools, start ADSI Edit. To do this, follow these steps:a. Click Start, click Run, type mmc in the Open box, and then click OK.
b. In Windows 2000, click Console, and then click Add/Remove Snap-in. In Windows Server 2003, click File, and then click Add/Remove Snap-in.
c. In the Add/Remove snap-in, click Add, click ADSIEdit, and then click Add.
d. Click Close, and then click OK.
3. In the MMC console, right-click ADSIEdit, and then click Connect to.
4. In Connections Settings, under Connection Point, click Select a well known naming context. In the drop-down list, click domain, and then click OK.
5. Expand domain, and then expand the Distinguished Name of the domain. For example, expand DC=contoso, DC=com.
6. Expand OU=Domain Controllers.
7. Right-click the domain controller that you want to check, and then click Properties.
8. Click the Select a property to view menu, and then click userAccountControl.
9. Verify that the value for userAccountControl is 532480. To change the userAccountControl value, click Edit on the domain controller property dialog box.
10. In the Integer Attribute Editor, type 532480 in the Value field, and then click OK.
Back to the top
Verify that the RID Master is replicating with another domain controller
If a newly promoted domain controller generates Event 16650, the domain controller may have obtained replication information from another domain controller that is not the RID Master. During promotion, the computer account for the new domain controller is modified. If these changes have not replicated to the domain controller that holds the RID master role, the request will fail when the newly promoted domain controller tries to obtain a RID pool.
To verify that the RID Master is replicating with at least one of its direct partners, follow these steps:1. Verify that the CN=RID Set object exists.
The CN=RID Set object is in the right pane of ADSI Edit when the domain controller is selected under OU=Domain Controllers in the left pane.
If no CN=RID Set object exists, you must demote that domain controller and then promote it again to create the object.
2. If the CN=RID Set object exists, make sure that the rIDSetReferences attribute on the domain controller's computer account object points to the Distinguished Name of the RID Set object, as shown in the following example:
CN=RID Set, CN=DC01,OU=Domain Controllers,CN=contoso,DC=local
If the rIDSetReferences attribute does not point to the Distinguished Name of the RID Set object, contact Microsoft Product Support Services for more information.
Back to the top
STATUS
This behavior is by design.
Back to the top
REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
305476 (http://support.microsoft.com/kb/305476/) Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
822053 (http://support.microsoft.com/kb/822053/) Error message: "Windows cannot create the object because the Directory Service was unable to allocate a relative identifier"
248410 (http://support.microsoft.com/kb/248410/) Error message: The account-identifier allocator failed to initialize properly
Back to the top
--------------------------------------------------------------------------------
APPLIES TO
• Microsoft Windows Server 2003, Web Edition
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Server
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Back to the top
Keywords: kbprb KB839879
Back to the top
Did this content help you?
Yes
No
Maybe
Please select one option based on your first choice:
I'm very satisfied
I think it will help, but I haven't tried it yet
It is helpful, but I need more information
It is helpful, but hard to understand
Seemed relevant in search results, but didn't help me
The information is wrong
The page contains one or more broken links
Suggest new content or let us know how we can improve this content (optional):
Thank you for your comments.
Manage Your Profile |Contact Us
©2006 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
• Windows 2000
• Windows Server 2003
Other Support Options
• Contact Microsoft
Phone Numbers, Support Options and Pricing, Online Help, and more.
• Customer Service
For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
• Newsgroups
Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Page Tools
Print this page
E-mail this page
Microsoft Worldwide
Save to My Support Favorites
Go to My Support Favorites
Send Feedback
Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003
View products that this article applies to.
Article ID : 839879
Last Review : December 3, 2004
Revision : 8.0
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows Registry
On This Page
SYMPTOMS
CAUSE
RESOLUTION
Delete the replication links for the naming contexts in Windows 2000
Verify that Active Directory objects that are related to RID allocation are valid
Verify that the RID Master is replicating with another domain controller
STATUS
REFERENCES
APPLIES TO
SYMPTOMS
When you try to add new users, groups, computers, mailboxes, domain controllers, or other objects to Active Directory on a Microsoft Windows Server 2003-based computer or a Windows 2000-based computer, you may receive the following error message:
Cannot create the object because directory service was unable to allocate a relative identifier.
When you restore a domain controller from a system state backup, the system log may contain the following error message:
Event Type: Error
Event Source: SAM Event
Category: None
Event ID: 16650
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
You can also use the Dcdiag command with the verbose switch to look for additional errors. To do this, follow these steps:1. Click Start, click Run, type cmd in the Open box, and then click OK.
2. At the command prompt, type DCdiag /v, and then press Enter.
When you type Dcdiag /v, you may see error messages that are similar to the following:
Starting test: RidManager
* Available RID Pool for the Domain is 2355 to 1073741823
* dc01.contoso.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1355 to 1854
* rIDNextRID: 0 The DS has corrupt data: rIDPreviousAllocationPool value is not valid
* rIDPreviousAllocationPool is 0 to 0 No rids allocated -- please check eventlog.
......................... DC01 failed test RidManager
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID SetDEL:cfe0828c-8842-4cb1-a642-6d9991d0516d,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified.
......................... DC01 failed test RidManager
Starting test: RidManager
* Available RID Pool for the Domain is 3104 to 1073741823
Warning: FSMO Role Owner is deleted.
* dc01.contoso.com is the RID Master
* DsBind with RID Master was successful
Warning: rid set reference is deleted.
ldap_search_sW of CN=RID SetDEL:5a128cf2-f365-47bc-a883-8ff9561ff545,CN=Deleted Objects,DC=contoso,DC=com for rid info failed with 2: The system cannot find the file specified.
......................... DC01 failed test RidManager
Starting test: KnowsOfRoleHolders
Role Rid Owner = CN="NTDS Settings DEL:fd615439-1ebb-4652-b16f-3f8517d25593",CN=dc01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com Warning: CN="NTDS Settings DEL:fd615439-1ebb-4652-b16f-3f8517d25593",CN=dc01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com is the Rid Owner, but is deleted.
You may also receive other errors in the system event log that can help you to troubleshoot the problem:
Event ID: 16647
Event Source: SAM
Description: The domain controller is starting a request for a new account-identifier pool.
Event Type: Error
Event Source: SAM Event
Category: None
Event ID: 16645
Description: The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
Back to the top
CAUSE
This problem occurs in one of the following scenarios: • When the relative ID (RID) Master is restored from backup, it tries to synchronize with other domain controllers to verify that there are no other RID Masters online. However, the synchronization process fails if there are no domain controllers available to synchronize with, or if replication is not working. The synchronization requirement was implemented in the Windows 2000 hotfix that is described in the following Microsoft Knowledge Base article:
307725 (http://support.microsoft.com/kb/307725/) Backup and restore of RID Flexible Single-Master Operations domain controller causes duplicate SIDs
Note If the domain has always contained only one domain controller, the RID Master will not try to synchronize with other domain controllers. The domain controller has no knowledge of any other domain controllers.
• The RID pool has been exhausted, or objects in Active Directory that are related to RID allocation use incorrect values or are missing.
Back to the top
RESOLUTION
Delete the replication links for the naming contexts in Windows 2000
To bypass the initial synchronization requirements when the affected domain contains Windows Server 2003 domain controllers, transfer the RID operations role to a Windows Server 2003 domain controller and then seize the RID operations master role to the current role owner. Seizing the FSMO role back to itself on a Windows Server 2003 domain controller bypasses the initial synchronization requirements that are required to enable the RID operations master until the role holder is restarted.
Note Because of the additional checks that NTDSUTIL performs, you must perform the seizure in the Active Directory Users and Computers snap-in (Dsa.msc).
In Windows 2000, you can restore a second domain controller to complete initial synchronization. If you cannot restore a second domain controller, you must either perform a metadata cleanup on the non-existent domain controllers or delete the replication links to the Active Directory naming contexts. If you plan to restore the other domain controllers later, delete the replication links instead of performing a metadata cleanup.
Before you can delete the replication links to the Active Directory naming contexts, you must identify the objectGUID value by using the Repadmin command. To do this, follow these steps:1. Click Start, click Run, type cmd in the Open box, and then click OK.
2. At the command prompt, type repadmin /showreps. You will see output that is similar to the following:
CN=Schema,CN=Configuration,DC=contoso,DC=comDefault-First-Site-Name\DC02 via RPC objectGuid: 97c68f88-3864-4a12-9962-ca389937e237 Last attempt @ 2004-02-26 09:10.03 was successful.
CN=Configuration,DC=contoso,DC=com Default-First-Site-Name\DC02 via RPC objectGuid: 97c68f88-3864-4a12-9962-ca389937e237 Last attempt @ 2004-02-26 09:14.43 was successful.
DC=contoso,DC=com Default-First-Site-Name\DC02 via RPC objectGuid: 97c68f88-3864-4a12-9962-ca389937e237 Last attempt @ 2004-02-26 09:14.01 was successful.
3. Type repadmin /delete to delete the replication links. Specify the naming context and the objectGUID as shown in the following examples: repadmin /delete CN=Schema,CN=Configuration,DC=contoso,DC=com DC01 97c68f88-3864-4a12-9962-ca389937e237._msdcs.contoso.com /localonly
repadmin /delete CN=Configuration,DC=contoso,DC=com DC01 97c68f88-3864-4a12-9962-ca389937e237._msdcs.contoso.com /localonly
repadmin /delete DC=contoso,DC=com DC01 97c68f88-3864-4a12-9962-ca389937e237._msdcs.contoso.com /localonly
4. Restart the RID Master computer. The RID Master will initialize properly.
Back to the top
Verify that Active Directory objects that are related to RID allocation are valid
To verify that the Active Directory objects that are related to RID allocation are valid, follow these steps:1. Verify that the Everyone group has the Access this computer from the network user right. The setting can be configured in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
2. Install the Windows 2000 Support Tools. These tools are available in the support folder on the Windows 2000 and the Windows Server 2003 CD-ROMs. When you have installed these tools, start ADSI Edit. To do this, follow these steps:a. Click Start, click Run, type mmc in the Open box, and then click OK.
b. In Windows 2000, click Console, and then click Add/Remove Snap-in. In Windows Server 2003, click File, and then click Add/Remove Snap-in.
c. In the Add/Remove snap-in, click Add, click ADSIEdit, and then click Add.
d. Click Close, and then click OK.
3. In the MMC console, right-click ADSIEdit, and then click Connect to.
4. In Connections Settings, under Connection Point, click Select a well known naming context. In the drop-down list, click domain, and then click OK.
5. Expand domain, and then expand the Distinguished Name of the domain. For example, expand DC=contoso, DC=com.
6. Expand OU=Domain Controllers.
7. Right-click the domain controller that you want to check, and then click Properties.
8. Click the Select a property to view menu, and then click userAccountControl.
9. Verify that the value for userAccountControl is 532480. To change the userAccountControl value, click Edit on the domain controller property dialog box.
10. In the Integer Attribute Editor, type 532480 in the Value field, and then click OK.
Back to the top
Verify that the RID Master is replicating with another domain controller
If a newly promoted domain controller generates Event 16650, the domain controller may have obtained replication information from another domain controller that is not the RID Master. During promotion, the computer account for the new domain controller is modified. If these changes have not replicated to the domain controller that holds the RID master role, the request will fail when the newly promoted domain controller tries to obtain a RID pool.
To verify that the RID Master is replicating with at least one of its direct partners, follow these steps:1. Verify that the CN=RID Set object exists.
The CN=RID Set object is in the right pane of ADSI Edit when the domain controller is selected under OU=Domain Controllers in the left pane.
If no CN=RID Set object exists, you must demote that domain controller and then promote it again to create the object.
2. If the CN=RID Set object exists, make sure that the rIDSetReferences attribute on the domain controller's computer account object points to the Distinguished Name of the RID Set object, as shown in the following example:
CN=RID Set, CN=DC01,OU=Domain Controllers,CN=contoso,DC=local
If the rIDSetReferences attribute does not point to the Distinguished Name of the RID Set object, contact Microsoft Product Support Services for more information.
Back to the top
STATUS
This behavior is by design.
Back to the top
REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
305476 (http://support.microsoft.com/kb/305476/) Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
822053 (http://support.microsoft.com/kb/822053/) Error message: "Windows cannot create the object because the Directory Service was unable to allocate a relative identifier"
248410 (http://support.microsoft.com/kb/248410/) Error message: The account-identifier allocator failed to initialize properly
Back to the top
--------------------------------------------------------------------------------
APPLIES TO
• Microsoft Windows Server 2003, Web Edition
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Server
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Back to the top
Keywords: kbprb KB839879
Back to the top
Did this content help you?
Yes
No
Maybe
Please select one option based on your first choice:
I'm very satisfied
I think it will help, but I haven't tried it yet
It is helpful, but I need more information
It is helpful, but hard to understand
Seemed relevant in search results, but didn't help me
The information is wrong
The page contains one or more broken links
Suggest new content or let us know how we can improve this content (optional):
Thank you for your comments.
Manage Your Profile |Contact Us
©2006 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
Tuesday, March 07, 2006
AD
From: Anthony - view profile
Date: Thurs, Aug 12 2004 4:39 am
Email: "Anthony"
Groups: microsoft.public.windows.server.active_directory
Not yet ratedRating:
show options
Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author
If someone is interested in my problem, I solved it!
I wrote a KCC report through replmon.exe and I saw that the site which was
trying to replicate had still the GUID of the dead DC in the Site Topology
Generator field.
I opened the ADSI edit : CN=Configuration, DC=tiauto, DC=com -->
CN=Sites --> CN=MySite
I clicked 'CN=NTDS Site Settings Properties' and I cleared the
'interSiteTopologyGenerator' attribute.
And now my repadmin result is correct.
Anthony
"Eric Fleischman [MSFT]" wrote in message
news:OeKNC6veEHA.592@TK2MSFTNGP11.phx.gbl...
- Hide quoted text -
- Show quoted text -
> That's where repadmin gets them from. I promise. :)
> repadmin is only reading the connection objects for the DSA in question
for
> this test.
> Ping me offline if you want me to live meeting in and show you what I'm
> talking about. Drop the 'online' from my address.
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> "Anthony" wrote in message
> news:uSCCC%23seEHA.1036@TK2MSFTNGP10.phx.gbl...
> >I was pretty sure but... in fact the connections disappeared when I
> > unpromoted the DC.
> > No connection pointing to the deleted DSA...
> > When I try a dcdiag, all tests are passed.
> > Anthony
> > "Eric Fleischman [MSFT]" wrote in message
> > news:eQ63e$reEHA.372@TK2MSFTNGP12.phx.gbl...
> >> I don't mean to remove the server. I mean to remove the connection
object
> >> that still points to the server. That is why you are seeing it there.
> >> So if you visit the server that is reporting the error, look at *that*
> >> servers NTDS settings object, note the connection objects under it. One
> >> of
> >> them is pointing to the deleted DSA.
> >> ~Eric
> >> --
> >> This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >> Use of included script samples are subject to the terms specified at
> >> http://www.microsoft.com/info/cpyright.htm
> >> "Anthony" wrote in message
> >> news:%23%23b%23P4reEHA.704@TK2MSFTNGP09.phx.gbl...
> >> > Thanks for support but :
> >> > 1) Don't understand what you mean... Don't want to ignore. I want to
> >> > understand and learn.
> >> > 2) As I already said, I already removed it from ADSites&Services.
> >> > Any other idea? ... it's really frustrating...
> >> > Anthony
> >> > "Eric Fleischman [MSFT]" wrote in
message
> >> > news:eHiRRojeEHA.140@TK2MSFTNGP12.phx.gbl...
> >> >> You are seeing that by virtue of the fact that there is a connection
> >> > object
> >> >> that is still sourcing from the deleted DSA (read: deleted DC).
> >> >> In this case you have two chocies:
> >> >> 1) Ignore it, we will clean it up for you after a while.
> >> >> 2) Hunt down the connection object that is sourcing from the deleted
> > DSA
> >> > and
> >> >> whack it by hand. That would be done by opening sites and services,
> >> >> navigating to the ntds settings object under the DC where this error
> >> >> is
> >> >> popping up and identifying the appropriate connection object and
> > deleting
> >> > it
> >> >> right there.
> >> >> ~Eric
> >> >> --
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> > rights.
> >> >> Use of included script samples are subject to the terms specified at
> >> >> http://www.microsoft.com/info/cpyright.htm
> >> >> "Anthony" wrote in message
> >> >> news:exBD$sieEHA.3632@TK2MSFTNGP09.phx.gbl...
> >> >> >I really thank you for quick answer...
> >> >> > I already tried to do a metadata cleanup using ntdsutil but the
> > object
> >> >> > does
> >> >> > not exist anymore. The same when I check with ADSI Edit.
> >> >> > I just followed the second link and tried to do it once more with
> > ldp,
> >> > but
> >> >> > I
> >> >> > receive the error "problem 2001 [NO_OBJECT]"
> >> >> > The DC is not in ADSites & Services anymore, nor in DNS...
> >> >> > What could I do more?
> >> >> > Anthony
> >> >> > "Jimmy Andersson [MVP]" wrote in message
> >> >> > news:%23XfmscieEHA.1692@tk2msftngp13.phx.gbl...
> >> >> >> You need to do a metadata cleanup and you also might need to use
> > ADSI
> >> >> >> Edit
> >> >> >> or Ldp to delete the object if it still exists. Don't forget to
> > clean
> >> > up
> >> >> > the
> >> >> >> DNS too.
> >> >> >> See these KB articles:
> >> >> >> Q216498 - How to remove data in the AD after an unsuccessful DC
> >> > demotion:
> >> >> >> http://support.microsoft.com/support/kb/articles/Q216/4/98.ASP
> >> >> >> Deleting Objects from Active Directory Using Ldp.exe:
> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244344
> >> >> >> Domain Controller Server Object Not Removed After Demotion:
> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216364
> >> >> >> Error Deleting a Domain Controller Account in Active Directory
> >> >> >> Users
> >> > and
> >> >> >> Computers:
> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247393
> >> >> >> Regards,
> >> >> >> /Jimmy
> >> >> >> --
> >> >> >> Jimmy Andersson, Q Advice AB
> >> >> >> Microsoft MVP - Directory Services
> >> >> >> ---------- www.qadvice.com ----------
> >> >> >> "Anthony" wrote in message
> >> >> >> news:OEQBYaieEHA.2532@TK2MSFTNGP09.phx.gbl...
> >> >> >> > Hi,
> >> >> >> > I unpromoted and removed one of our Domain Controllers. So I
> > thought
> >> > it
> >> >> >> was
> >> >> >> > right removed.
> >> >> >> > However, when I check the repadmin /showrepl /verbose, I can
see
> >> >> >> > this
> >> >> >> > server, although deleted, is still considered as an inbound
> > neighbor
> >> >> >> > and
> >> >> >> > replication still try to happen.
> >> >> >> > xxx\XXXDC01\0ADEL:7593931e-a698-4bb5-9dad-82ba9cc0e6c2 (deleted
> > DSA)
> >> >> >> > via
> >> >> >> RPC
> >> >> >> > DC object GUID: 6e582a6e-030c-4e30-99ad-e9331cfc8e0a
> >> >> >> > Address:
> > 6e582a6e-030c-4e30-99ad-e9331cfc8e0a._msdcs.xxx.com
> >> >> >> > DC invocationID: 05155fc7-006d-4367-a650-c23577de7ac6
> >> >> >> > DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES
> >> >> >> > NO_CHANGE_NOTIFICATIONS
> >> >> >> > USNs: 245019/OU, 245019/PU
> >> >> >> > Last attempt @ 2004-08-03 11:53:15 failed, result 8524
> >> >> >> > (0x214c):
> >> >> >> > The DSA operation is unable to proceed because of a
> > DNS
> >> >> > lookup
> >> >> >> > failure.
> >> >> >> > 56 consecutive failure(s).
> >> >> >> > Last success @ 2004-07-27 11:53:26.
> >> >> >> > How is it possible to remove this and be sure that no DC tries
to
> >> >> >> replicate
> >> >> >> > with this "ghost server" ?
> >> >> >> > Thanks in advance.
End of messages
Date: Thurs, Aug 12 2004 4:39 am
Email: "Anthony"
Groups: microsoft.public.windows.server.active_directory
Not yet ratedRating:
show options
Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author
If someone is interested in my problem, I solved it!
I wrote a KCC report through replmon.exe and I saw that the site which was
trying to replicate had still the GUID of the dead DC in the Site Topology
Generator field.
I opened the ADSI edit : CN=Configuration, DC=tiauto, DC=com -->
CN=Sites --> CN=MySite
I clicked 'CN=NTDS Site Settings Properties' and I cleared the
'interSiteTopologyGenerator' attribute.
And now my repadmin result is correct.
Anthony
"Eric Fleischman [MSFT]"
news:OeKNC6veEHA.592@TK2MSFTNGP11.phx.gbl...
- Hide quoted text -
- Show quoted text -
> That's where repadmin gets them from. I promise. :)
> repadmin is only reading the connection objects for the DSA in question
for
> this test.
> Ping me offline if you want me to live meeting in and show you what I'm
> talking about. Drop the 'online' from my address.
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> "Anthony"
> news:uSCCC%23seEHA.1036@TK2MSFTNGP10.phx.gbl...
> >I was pretty sure but... in fact the connections disappeared when I
> > unpromoted the DC.
> > No connection pointing to the deleted DSA...
> > When I try a dcdiag, all tests are passed.
> > Anthony
> > "Eric Fleischman [MSFT]"
> > news:eQ63e$reEHA.372@TK2MSFTNGP12.phx.gbl...
> >> I don't mean to remove the server. I mean to remove the connection
object
> >> that still points to the server. That is why you are seeing it there.
> >> So if you visit the server that is reporting the error, look at *that*
> >> servers NTDS settings object, note the connection objects under it. One
> >> of
> >> them is pointing to the deleted DSA.
> >> ~Eric
> >> --
> >> This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >> Use of included script samples are subject to the terms specified at
> >> http://www.microsoft.com/info/cpyright.htm
> >> "Anthony"
> >> news:%23%23b%23P4reEHA.704@TK2MSFTNGP09.phx.gbl...
> >> > Thanks for support but :
> >> > 1) Don't understand what you mean... Don't want to ignore. I want to
> >> > understand and learn.
> >> > 2) As I already said, I already removed it from ADSites&Services.
> >> > Any other idea? ... it's really frustrating...
> >> > Anthony
> >> > "Eric Fleischman [MSFT]"
message
> >> > news:eHiRRojeEHA.140@TK2MSFTNGP12.phx.gbl...
> >> >> You are seeing that by virtue of the fact that there is a connection
> >> > object
> >> >> that is still sourcing from the deleted DSA (read: deleted DC).
> >> >> In this case you have two chocies:
> >> >> 1) Ignore it, we will clean it up for you after a while.
> >> >> 2) Hunt down the connection object that is sourcing from the deleted
> > DSA
> >> > and
> >> >> whack it by hand. That would be done by opening sites and services,
> >> >> navigating to the ntds settings object under the DC where this error
> >> >> is
> >> >> popping up and identifying the appropriate connection object and
> > deleting
> >> > it
> >> >> right there.
> >> >> ~Eric
> >> >> --
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> > rights.
> >> >> Use of included script samples are subject to the terms specified at
> >> >> http://www.microsoft.com/info/cpyright.htm
> >> >> "Anthony"
> >> >> news:exBD$sieEHA.3632@TK2MSFTNGP09.phx.gbl...
> >> >> >I really thank you for quick answer...
> >> >> > I already tried to do a metadata cleanup using ntdsutil but the
> > object
> >> >> > does
> >> >> > not exist anymore. The same when I check with ADSI Edit.
> >> >> > I just followed the second link and tried to do it once more with
> > ldp,
> >> > but
> >> >> > I
> >> >> > receive the error "problem 2001 [NO_OBJECT]"
> >> >> > The DC is not in ADSites & Services anymore, nor in DNS...
> >> >> > What could I do more?
> >> >> > Anthony
> >> >> > "Jimmy Andersson [MVP]"
> >> >> > news:%23XfmscieEHA.1692@tk2msftngp13.phx.gbl...
> >> >> >> You need to do a metadata cleanup and you also might need to use
> > ADSI
> >> >> >> Edit
> >> >> >> or Ldp to delete the object if it still exists. Don't forget to
> > clean
> >> > up
> >> >> > the
> >> >> >> DNS too.
> >> >> >> See these KB articles:
> >> >> >> Q216498 - How to remove data in the AD after an unsuccessful DC
> >> > demotion:
> >> >> >> http://support.microsoft.com/support/kb/articles/Q216/4/98.ASP
> >> >> >> Deleting Objects from Active Directory Using Ldp.exe:
> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244344
> >> >> >> Domain Controller Server Object Not Removed After Demotion:
> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216364
> >> >> >> Error Deleting a Domain Controller Account in Active Directory
> >> >> >> Users
> >> > and
> >> >> >> Computers:
> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247393
> >> >> >> Regards,
> >> >> >> /Jimmy
> >> >> >> --
> >> >> >> Jimmy Andersson, Q Advice AB
> >> >> >> Microsoft MVP - Directory Services
> >> >> >> ---------- www.qadvice.com ----------
> >> >> >> "Anthony"
> >> >> >> news:OEQBYaieEHA.2532@TK2MSFTNGP09.phx.gbl...
> >> >> >> > Hi,
> >> >> >> > I unpromoted and removed one of our Domain Controllers. So I
> > thought
> >> > it
> >> >> >> was
> >> >> >> > right removed.
> >> >> >> > However, when I check the repadmin /showrepl /verbose, I can
see
> >> >> >> > this
> >> >> >> > server, although deleted, is still considered as an inbound
> > neighbor
> >> >> >> > and
> >> >> >> > replication still try to happen.
> >> >> >> > xxx\XXXDC01\0ADEL:7593931e-a698-4bb5-9dad-82ba9cc0e6c2 (deleted
> > DSA)
> >> >> >> > via
> >> >> >> RPC
> >> >> >> > DC object GUID: 6e582a6e-030c-4e30-99ad-e9331cfc8e0a
> >> >> >> > Address:
> > 6e582a6e-030c-4e30-99ad-e9331cfc8e0a._msdcs.xxx.com
> >> >> >> > DC invocationID: 05155fc7-006d-4367-a650-c23577de7ac6
> >> >> >> > DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES
> >> >> >> > NO_CHANGE_NOTIFICATIONS
> >> >> >> > USNs: 245019/OU, 245019/PU
> >> >> >> > Last attempt @ 2004-08-03 11:53:15 failed, result 8524
> >> >> >> > (0x214c):
> >> >> >> > The DSA operation is unable to proceed because of a
> > DNS
> >> >> > lookup
> >> >> >> > failure.
> >> >> >> > 56 consecutive failure(s).
> >> >> >> > Last success @ 2004-07-27 11:53:26.
> >> >> >> > How is it possible to remove this and be sure that no DC tries
to
> >> >> >> replicate
> >> >> >> > with this "ghost server" ?
> >> >> >> > Thanks in advance.
End of messages
Archives
