This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello!
One of my two DCs has failed recently (named DC) and I transferred all roles to the other DC (DC2). There were no issues during the transfer:
Now when I try to create a new object in AD I get the following error:
Here's the result of RID Pool:
This result looks rather strange to me: it still leasts the old domain controller (DC) and shows the DC2's pool as from 2100 till 2599 - why in that case there's 2599 RIDs left (not 2599-2100=499)?
And how these figures correlate with the "overall" RID pool = 32600-1073741823?
Shouldn't the Next RID display some real number, not 0 ?
Thank you in advance,
Michael
Hi, Can you share dcdiag /v logs from the working DC?
Hi JimmySalian-2011,
I think this can be the cause of the problem:
I just can't understand this: "In the rare event that all replication partners are expected to be offline... you can force the role to be validated. This can be done ... to seize the role to the same server." - when my first server (DC) failed I had already seized all the roles. Why does DC2 keeps saying it can't validate the role? It is exactly that "rare event" which had already led to seizing the roles...???dcdiag.txt
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there, The Directory Service was Unable to Allocate a Relative Identifier issue occurs if the domain controller that handles the flexible single master operations of RID Master has been removed or deleted from the domain or restored from backup. This problem may occur if the domain controller that held the operations master role (also known as flexible single master operations or FSMO) of RID Master was removed from the domain and restored from backup. If the role of RID Master was forced onto another domain controller as a temporary replacement, when the original RID Master is restored and returned to the domain, it does not replicate with its direct replication partner and does not reclaim the role of RID Master. https://support.microsoft.com/en-us/topic/error-message-windows-cannot-create-the-object-because-the-directory-service-was-unable-to-allocate-a-relative-identifier-5632c8d6-0cce-60f4-630a-9fe28f72b3ad Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--
Hello all,
Limitless Technology, thank you for the link!
Nevertheless, I can't understand this: "when the original RID Master is restored and returned to the domain, it does not replicate with its direct replication partner and does not reclaim the role of RID Master." - it means that even when the old fsmo holder is back online it should NOT prevent the new FSMO holder from working, not speaking of the situation when the old one has failed completely - why in this case the new RID master (the server that has seized the roles) can't keep working as the new RID master? What if I can't - and do not want - to restore the old DC? Now it looks like seizing the role on DC2 leads to this new DC not capable of serving as -at least - RID master...
By the way, the only solution posted here requires restoring the old DC and replicating with it - but if the old DC can't be restored then the new FSMO holder would never work as expected???
Regards,
Michael
After seizing the roles once again in ntdsutil and deleting old dc from AD the issue is gone:
Thank you all for your replies!
Regards,
Michael