Sunday, May 06, 2007

Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

Is a message I got on a restored Windows 2003 domain controller. Restore went fine but I could not create a single object in AD.
This happened when we were doing a disaster recovery exercise and part of that exercise was restoring a single domain controller. Now, this is obviously a RID master issue. Most logical course of action would be to seize the FSMO roles. However, according to a netdom /query fsmo I already had all the FSMO roles on that DC.

Bit of a puzzler so I phoned a colleague who told me that seized roles do not become active unless a single successful replication has been made. In my case where I only had a single "surviving" DC the easiest option would be to use sites and services to remove all connections from my DC and let the KCC check the connections. 15 minutes later it had determined that this DC was rather alone and that it would be save to get the RID pool online. And it worked, I could once again create objects in AD.

Another interesting piece of experience I gained was that it can be very useful to have a system state backup made with ntbackup when you're trying to restore a machine on different hardware.

No comments: