JSI Tip 10525. Active Directory attributes that refer to a prefix are not stored in the local copy of Active Directory on Windows Server 2003?

When you install and additional domain controller, it is unable to obtain a RID pool allocation, preventing the creation of new security principals. Your Directory Services event log may contain:

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 16650
Time: HH:MM:SS
User: N/A
Computer: <Domain Controller Name>
Description: The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.

If diagnostic event logging for Active Directory services is 4 (Verbose) or greater, your Directory Services event log may contain:

Event Type: Information
Event Source: NTDS General
Event Category: Directory Access
Event ID: 1175
Time: HH:MM:SS
User: Everyone
Computer: <Domain Controller Name>
Description: A privileged operation (rights required = 0x) on object <path to object> failed because a non-security related error occurred.

Microsoft Knowledge Base Article 913539 Describes the problem where Windows Server 2003 prefix mismatches block RID pool allocation on a Windows Server 2003-based domain controller. Provides several workarounds to resolve this problem.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.