Event ID 16645 - RIP Full? Maybe???

[TooEZ]

I have been trying to sort out this problem on our DC. I cant create user or computer accounts. Please point me in the right direction...
-----------------

Errors I have be recieving are:

Event Source: SAM
Event ID: 16645
Description:
The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.
-----------------

Event Source: NETLOGON
Event ID: 5781
Description:
Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.
-----------------

Event Source: Schannel
Event ID: 36872
Description:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
-----------------

The machine is running Windows 2000 Server SP4. It is the only DC on the network (however there are other Win2K Servers on the network). This is also our Exchange 5.5 server. There are about 100 workstations running Win2K Pro which the login is very slow as well.

If I dont get this fixed reasonably soon I think I will be in the unemployment line in the very near future...

Cheers
TooEZ

 

[TooEZ]

Just some more info, the DC is the RID master and I have stopped and startted the DNS service too...

Any other ideas???

HELP ME PLEASE...

TooEZ

 

[jpederson]

I suggest starting with dcdiag.exe and netdiag.exe

Running dcdiag in verbose mode will give you information about the FSMO roles including the RID pool that is available.

Netdiag is also a great tool, but running in verbose mode generates a LOT of data. You can direct output to a log file, though.

Both tools are part of the Win2K support tools on the server CD or can be downloaded from MS.

The third error message may actually be one you don't need to worry about if you do not have a third party certificate installed or have your own Enterprise CA set up.

 

[TooEZ]

Results from DCDIAG:

DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\BSCPDC
Starting test: Connectivity
......................... BSCPDC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\BSCPDC
Starting test: Replications
[Replications Check,BSCPDC] A recent replication attempt failed:
From BSCWIN2KDC2 to BSCPDC
Naming Context: CN=Schema,CN=Configuration,DC=banana,DC=qld,DC=gov,DC=au
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2004-02-15 14:50.49.
The last success occurred at 2002-02-27 12:48.20.
17249 failures have occurred since the last success.
The guid-based DNS name 572a116a-a791-4ec2-a4e5-e99b8a430914._msdcs.banana.qld.gov.au
is not registered on one or more DNS servers.
[BSCWIN2KDC2] DsBind() failed with error 1722,
Win32 Error 1722.
[Replications Check,BSCPDC] A recent replication attempt failed:
From BSCWIN2KDC2 to BSCPDC
Naming Context: CN=Configuration,DC=banana,DC=qld,DC=gov,DC=au
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2004-02-15 14:50.49.
The last success occurred at 2002-02-27 12:56.29.
17249 failures have occurred since the last success.
The guid-based DNS name 572a116a-a791-4ec2-a4e5-e99b8a430914._msdcs.banana.qld.gov.au
is not registered on one or more DNS servers.
[Replications Check,BSCPDC] A recent replication attempt failed:
From BSCWIN2KDC2 to BSCPDC
Naming Context: DC=banana,DC=qld,DC=gov,DC=au
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2004-02-15 14:50.49.
The last success occurred at 2002-02-27 13:03.26.
17249 failures have occurred since the last success.
The guid-based DNS name 572a116a-a791-4ec2-a4e5-e99b8a430914._msdcs.banana.qld.gov.au
is not registered on one or more DNS servers.
......................... BSCPDC passed test Replications
Starting test: NCSecDesc
......................... BSCPDC passed test NCSecDesc
Starting test: NetLogons
......................... BSCPDC passed test NetLogons
Starting test: Advertising
Fatal ErrorsGetDcName (BSCPDC) call failed, error 1355
The Locator could not find the server.
......................... BSCPDC failed test Advertising
Starting test: KnowsOfRoleHolders
......................... BSCPDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... BSCPDC passed test RidManager
Starting test: MachineAccount
......................... BSCPDC passed test MachineAccount
Starting test: Services
Dnscache Service is stopped on [BSCPDC]
SMTPSVC Service is stopped on [BSCPDC]
......................... BSCPDC failed test Services
Starting test: ObjectsReplicated
......................... BSCPDC passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... BSCPDC passed test frssysvol
Starting test: kccevent
An Warning Event occured. EventID: 0x800004F1
Time Generated: 02/15/2004 15:33:19
Event String: The attempt to establish a replication link with An Warning Event occured. EventID: 0x800004F1
Time Generated: 02/15/2004 15:33:22
Event String: The attempt to establish a replication link with An Warning Event occured. EventID: 0x800004F1
Time Generated: 02/15/2004 15:33:24
Event String: The attempt to establish a replication link with ......................... BSCPDC failed test kccevent
Starting test: systemlog
......................... BSCPDC passed test systemlog

Running enterprise tests on : banana.qld.gov.au
Starting test: Intersite
......................... banana.qld.gov.au passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... banana.qld.gov.au failed test FsmoCheck


------------------------------------------------------------
Results from NETDIAG:

Computer Name: BSCPDC
DNS Host Name: bscpdc.banana.qld.gov.au
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 7 Stepping 3, GenuineIntel
List of installed hotfixes :
KB823980
Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : bscpdc
IP Address . . . . . . . . : 192.1.1.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.1.1.254
Primary WINS Server. . . . : 192.1.1.2
Dns Servers. . . . . . . . : 192.1.1.2


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed

Adapter : Local Area Connection 2

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : bscpdc
IP Address . . . . . . . . : 203.7.188.21
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 202.7.188.1
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 203.7.188.3
203.12.160.35

IpConfig results . . . . . : Failed

[WARNING] Your default gateway is not on the same subnet as your IP address.

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Failed
No gateway reachable for this adapter.

NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test skipped]

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7F99789D-E646-4533-A2F1-A13189ADB109}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed
------------------------------------------------------------

For information BSCWIN2KDC2 and BSCBSC were taken out of the network 2 years ago (before I started working for the organisation)... There seems to be heaps of proplems here, I dont know where to start.

Can someone point me in the right direction...

Cheers

 

[mlichstein]

Two major problems that I see:

First, it doesn't look like BSCWIN2KDC2 was removed cleanly from the domain. This is why BSCPDC is trying to replicate with it. You will need to do a metadata cleanup (KB article 216498) to remove BSCWIN2KDC2 completely.

Second, BSCPDC has both an internal and an external network card. Bad idea. My guess is that the external IP is being registered in DNS, which will cause many problems. Check your forward lookup zone in DNS for any records that have the 203.7.188.21 address and remove them. Also disable DNS registration on the external NIC, or better yet, remove the external NIC completely.

Once you disable the registrations on the external NIC, stop and start the netlogon service, then do an ipconfig /flushdns.

Also run 'netdom query fsmo' on the DC (you must install the support tools from the 2000 server CD). Make sure that the DC holds all the FSMO roles. If not, you will need to seize them.

Once you get all of this cleaned up and the DC is healthy, install a second DC! It does not need to be anything special, not necessarily a 'server-class' machine. An old workstation will be fine, even if its a PII 400 with 128Mb of RAM. But get a second DC, or you WILL be on the unemployment line when your existing DC bites the dust (and trust me, it will).

 

[jb32]

TooEZ were you able to get this problem fixed. I seem to have run into the exact same thing. My dcdiag printout matches yours almost exactly except for the names of course... an update would be great. Thanks

 

[TooEZ]

Yes I did solve this, all I did was follow MS Knowledgebase article 216498. If I remember correctly, I pretty much folled it word for word...

Good luck, also if you run into problems post another message here...

Cheers