We have experienced 3 times lately where we have been unable to create user objects in Active Directory. The first two had the same errors. I'm not sure if the third one is related or not.
I have 4 DC's, two in each of two sites. One of the Domain Controllers, DC1, has all the FSMO roles They are all Windows 2012 R2, but the Domain and Forest Functional Level is at Windows 2008 R2 until later this week. We have a single domain forest. We have about 650-700 actual users, so even with shared and special user ID's, we probably have less that 2000 user objects. Not a large Active Directory structure.
While I first noticed the problem when working in Exchange, this is an AD problem. Almost 6 weeks ago, I suddenly was unable to create a user account when trying to create an Exchange mailbox. The error in Exchange was "Exchange couldn't find any usable connections to the Active Directory server DC1.domain."
In the System log on DC1, there were numerous Event ID 16642 error events from Directory-Services-SAM:
“The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.” After finding very little about troubleshooting this error, I restarted DC1. Once DC1 came back up, I was able to create user objects again.
Early last week, I experienced the same thing with the same errors. I restarted DC1 again, and again I was able to create objects normally.
I was off last Friday, but received an email from a colleague that we were again unable to create user objects. They restarted DC1 and were able to create users again.
I looked through the Event logs on DC1 and did NOT find the Event ID 16642 from Directory-Services-SAM. I did not find anything in the Application or System log that looked like an explanation for this inability to create users on Friday morning. This time, I looked at the Directory Service log and saw error Event ID 1519 repeated many times:
"Internal Error: Active Directory Domain Services could not perform an operation because the database has run out of version storage."
I saw a Microsoft blog about version storage at "https://blogs.technet.microsoft.com/askds/2016/06/14/the-version-store-called-and-theyre-all-out-of-buckets/". This blog discussed increasing the maximum size of the version store, but it related the need for this with information that would be found in error Event ID 623. DC1's log does not contain Event 623.
Unfortunately, the Directory Service log went back only a few days, so I could nor look for what might have been in there during the time frame of the first two instances of being unable to create users.
Can anyone offer me any help with what I need to do to prevent this situation from recurring?
Thank you very much for your help with this.
I have 4 DC's, two in each of two sites. One of the Domain Controllers, DC1, has all the FSMO roles They are all Windows 2012 R2, but the Domain and Forest Functional Level is at Windows 2008 R2 until later this week. We have a single domain forest. We have about 650-700 actual users, so even with shared and special user ID's, we probably have less that 2000 user objects. Not a large Active Directory structure.
While I first noticed the problem when working in Exchange, this is an AD problem. Almost 6 weeks ago, I suddenly was unable to create a user account when trying to create an Exchange mailbox. The error in Exchange was "Exchange couldn't find any usable connections to the Active Directory server DC1.domain."
In the System log on DC1, there were numerous Event ID 16642 error events from Directory-Services-SAM:
“The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.” After finding very little about troubleshooting this error, I restarted DC1. Once DC1 came back up, I was able to create user objects again.
Early last week, I experienced the same thing with the same errors. I restarted DC1 again, and again I was able to create objects normally.
I was off last Friday, but received an email from a colleague that we were again unable to create user objects. They restarted DC1 and were able to create users again.
I looked through the Event logs on DC1 and did NOT find the Event ID 16642 from Directory-Services-SAM. I did not find anything in the Application or System log that looked like an explanation for this inability to create users on Friday morning. This time, I looked at the Directory Service log and saw error Event ID 1519 repeated many times:
"Internal Error: Active Directory Domain Services could not perform an operation because the database has run out of version storage."
I saw a Microsoft blog about version storage at "https://blogs.technet.microsoft.com/askds/2016/06/14/the-version-store-called-and-theyre-all-out-of-buckets/". This blog discussed increasing the maximum size of the version store, but it related the need for this with information that would be found in error Event ID 623. DC1's log does not contain Event 623.
Unfortunately, the Directory Service log went back only a few days, so I could nor look for what might have been in there during the time frame of the first two instances of being unable to create users.
Can anyone offer me any help with what I need to do to prevent this situation from recurring?
Thank you very much for your help with this.