Sunday, November 18, 2012

Coping with the "the directory service was unable to allocate a relative identifier" Error in Widnows

The error was:

 the directory service was unable to allocate a relative identifier


I had a client with this problem recently. He was trying to add an XP machine to his Windows 2003 based Active Directory domain.

Since he was unable to get a relative identifier from the RID master on the domain, his computer account could not be created. I tested and verified that no objects could be created, including new user accounts.

The corresponding technet article is:

KB 822053

There were several AD related errors in the event logs on the domain controllers, including event id 2042:


It has been too long since this machine last replicated with the 
named source machine. The time between replications with this source 
has exceeded the tombstone lifetime. Replication has been stopped 
with this source. 
The corresponding technet article is:
Event ID 2042

Looking at the domain controllers, it appeared that one of the domain controllers (call it domain controller B) seemed to be able to replicate to the other domain controller (domain controller A) , but not vice versa. The client said that they had discovered a firewall running on one of the domain controllers (DC B) and had turned it off. But, replication had worked from A to B (A was the RID master) in over a year.

  I checked replication with repadmin and did not find any lingering objects. After several false starts, I used the procedure (and I backed up the system state on both domain controllers, just to be safe) at the bottom of the technet article:


To restart replication following event ID 2042

  1. Click Start, click Run, type regedit, and then click OK.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. In the details pane, create or edit the registry entry as follows:
    If the registry entry exists in the details pane, modify the entry as follows:
    1. In the details pane, right-click Allow Replication With Divergent and Corrupt Partner, and then click Modify.
    2. In the Value data box, type 1, and then click OK.
    If the registry entry does not exist, create the entry as follows:
    1. Right-click Parameters, click New, and then click DWORD Value.
    2. Type the name Allow Replication With Divergent and Corrupt Partner, and then press ENTER.
    3. Double-click the entry. In the Value data box, type 1, and then click OK.

Reset the Registry to Protect Against Outdated Replication

When you are satisfied that lingering objects have been removed and replication has occurred successfully from the source domain controller, edit the registry to return the value in Allow Replication With Divergent and Corrupt Partner to 0.


After restarting the ntfrs service on both domain controllers and forcing replication, replication between A and B started working correctly and I was able to join the machine to the domain.




No comments: