Active Directory attributes that refer to a prefix may not be stored in the local copy of Active Directory on a computer that is running Microsoft Windows Server 2003 (913539)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

SYMPTOMS

On a computer that is running Microsoft Windows Server 2003, Active Directory directory service attributes that refer to a prefix may not be stored in the local copy of Active Directory. When this occurs, relative ID (RID) pool allocation is blocked. Additionally, you may experience one or more of the following symptoms.

Symptom 1

When you install Microsoft Windows 2000 Server-based computers or Microsoft Windows Server 2003-based computers as additional domain controllers, these additional domain controllers may not be able to obtain a RID allocation pool in existing domains. Additionally, you may not be able to create new security principals. Examples of security principals include user accounts, computer accounts, and security groups. Additionally, the following event may be logged in the Directory Services event log:Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 16650
Date: M/M/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: <domain controller name>
Description: The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.

Symptom 2

When diagnostic logging for the Directory Access registry entry is increased to a value of 4 or to a value that is larger than 4 on the newly-promoted domain controller, the following event may be logged in the Directory Services event log:Event Type: Information
Event Source: NTDS General
Event Category: Directory Access
Event ID: 1175
Date: M/M/DD/YYYY
Time: HH:MM:SS AM|PM
User: Everyone
Computer: <domain controller name>
Description: A privileged operation (rights required = 0x) on object <path to object> failed because a non-security related error occurred.Note Diagnostic logging is configured in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

314980 How to configure Active Directory diagnostic event logging in Windows Server

CAUSE

This problem occurs because Windows Server 2003 Service Pack 1-based computers add hard-coded prefixes to Active Directory. Typically, these prefixes are not outgoing-replicated to partner domain controllers.

Inconsistent prefixes between replication partners may not interfere with Active Directory replication. Computers may be running operating systems that are earlier than Windows Server 2003 Service Pack 1. These computers reject the RID pool when they detect Windows Server 2003 Service Pack 1 prefixes in the local thread state.

For more information about how to obtain a RID pool from a Windows Server 2003 Service Pack 1-based computer, see the "More Information" section.

WORKAROUND

To work around this problem, use one of the following methods.

Method 1

Install Microsoft Windows Server 2003 Service Pack 1 on a computer that is running Windows Server 2003. For more information about how to obtain Windows Server 2003 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Method 2

Upgrade domain controllers that are running Windows 2000 Server to Windows Server 2003 Service Pack 1.

Method 3

If the domain controller is running an operating system that is earlier than Windows Server 2003 Service Pack 1, perform a minor schema change. To do this, follow these steps:
  1. Copy the following code into Notepad, and then save the file. To do this, follow these steps:
    1. Click Start, click Run, type notepad, and then click OK.
    2. Copy the following code, and then paste it in Notepad.
      dn: CN=Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: address
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
    3. Save the document by using the file name Simplefix.ldf.
  2. Assign the schema operations master, also known as flexible single master operations or FSMO, to a domain controller that is running Windows Server 2003 Service Pack 1.
  3. Log on to the console of the Schema operations master as a member of the schema Administrators security group.
  4. Type the following at the command line:

    Ldifde -I -f simpleFix.ldf -c DC=X domain DN

    Note Replace domain DN with your actual domain DN.

Method 4

You can force an additional domain controller to source from a specific domain controller by using a dcpromo answer file. In small domains, you can also stop the Netlogon service on domain controllers that are running operating systems that are earlier than Windows Server 2003 Service Pack 1. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

223757 Unattended promotion and demotion of Windows 2000 and Windows Server 2003 domain controllers

Method 5

Transfer the RID Master in the affected domain to a domain controller that is running an operating system that is earlier than Windows Server 2003 Service Pack 1. The RID Master must remain on a domain controller that is running an operating system that is earlier than Windows Server 2003 Service Pack 1. The RID operations master must remain on this domain controller until all the domain controllers in the forest have incoming Service Pack 1 prefixes. To assign the Service Pack 1 prefixes, you must use the method that is described in the Method 4 section.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

A RID pool request by computers that do not have Service Pack 1 installed is rejected when these computers detect Service Pack 1 prefixes that meet the following criteria:
  • They are in a local thread state.
  • This local thread state has been obtained from Windows Server 2003 Service Pack 1 RID Masters.
  • The thread state is obtained by these RID Masters by using one of the following scenarios.

Scenario 1

  1. The RID operations master resides on a Windows Server 2003 Service Pack 1-based domain controller. Alternatively, the RID operations master resides on a Windows 2000-based domain controller or on a Windows Server 2003-based domain controller that has a schema partition. This partition contains Windows Server 2003 Service Pack 1 prefixes in its local copy of Active Directory.
  2. A Windows 2000 Server-based domain controller or a Windows Server 2003-based domain controller is installed as an additional domain controller in an existing domain.
  3. The additional domain controller selects a domain controller that is running an operating system that is earlier than Windows Server 2003 Service Pack 1 to source the schema, configuration, and domain partitions. If a Windows Server 2003 Service Pack 1 domain controller is used, Windows Server 2003 Service Pack 1 prefixes are incoming-replicated when the Active Directory Installation Wizard (Dcpromo.exe) installs Active Directory.
  4. The newly-promoted domain controller cannot obtain a local RID pool from the RID operations master. Therefore, this domain controller is prevented from creating new user accounts, computer accounts, and security groups.

Scenario 2

  1. The RID operations master resides on a Windows Server 2003 Service Pack 1-based domain controller whose schema partition contains Windows Server 2003 Service Pack 1 prefixes in its local copy of Active Directory. Alternatively, this operations master resides on a Windows 2000-based or Windows Server 2003-based domain controller whose schema partition contains Windows Server 2003 Service Pack 1 prefixes in its local copy of Active Directory.
  2. A Windows 2000 Server-based domain controller or a Windows Server 2003-based domain controller is installed as an Install from Media (IFM) promotion. Additionally, the system state backup originated from a domain controller that is running an operating system that is earlier than Windows Server 2003 Service Pack 1.
  3. The additional domain controller selects a domain controller that is running an operating system that is earlier than Windows Server 2003 Service Pack 1. The additional domain controller does this to source the schema, configuration, and domain partitions. If a Windows Server 2003 Service Pack 1 domain controller is used, Windows Server 2003 Service Pack 1 prefixes are incoming-replicated during Active Directory installation by the Active Directory Installation Wizard (Dcpromo.exe) file.
  4. The domain controller cannot obtain a local RID pool from the RID operations master that prevents it from creating new user accounts, computer accounts and security groups.

Scenario 3

  1. The RID operations master resides on a domain controller that has Windows Server 2003 Service Pack 1 prefixes in its local copy of Active Directory.
  2. A system state backup is made on a domain controller that is running an operating system that is earlier than Windows Server 2003 Service Pack 1. This domain controller does not contain Windows Server 2003 Service Pack 1 prefixes in its local copy of Active Directory.
  3. The system state backup that was created in step 2 is restored. This process invalidates the local RID pool. This process also triggers the request for a new RID pool from the RID operations master.
Schema Attributes and classes are uniquely identified by a string of numbers that is known as an object identifier (also known as an OID). Active Directory code uses a different paradigm. This paradigm refers to attributes by a DWORD value that is named "attId." A prefix table maps this value reference to and from the object identifier reference.

About 30 prefixes are hard coded in the prefix table. When an object identifier with a new prefix appears, domain controller code adds the new prefix into the table. The part of the prefix table that is not hard coded is stored in the prefixMap attribute on the schema head. Each domain controller maintains its own prefix table. The prefix table is not replicated as a part of a typical Active Directory replication.

You can add Windows Server 2003 Service Pack 1 prefixes to existing Windows Server 2003-based domain controllers by installing Service Pack 1 before or after you install the computer on the domain. In this manner, prefixes are added by the Ntdsa.dll file that is contained in Windows Server 2003 Service Pack 1. However, Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers that cannot install Windows Server 2003 Service Pack 1 can obtain Windows Server 2003 Service Pack 1 prefixes. They can do this by modifying the schema on a Windows Server 2003 Service Pack 1 domain controller that hosts the schema operations master role. Windows 2000-based workgroup computers and Windows Server 2003-based workgroup computers can obtain Windows Server 2003 Service Pack 1 prefixes. They can do this by sourcing their initial copy of Active Directory from a Windows Server 2003 Service Pack 1 helper domain controller or from any one of the following domain controllers:
  • A Windows 2000 Server-based domain controller that directly or transitively sourced its initial copy of Active Directory from a Windows Server 2003 Service Pack 1 helper domain controller
  • A Windows Server 2003-based domain controller that directly or transitively sourced its initial copy of Active Directory from a Windows Server 2003 Service Pack 1 helper domain controller
When the Active Directory Installation Wizard runs, the new domain controller fully replicates the schema partition. Therefore, the prefix table is also fully replicated from the helper to the new domain controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

314980 How to configure Active Directory diagnostic event logging in Windows Server

The mapping works when it is given an object identifier. Keep the last part of the object identifier. Store the prefix in the prefix table. Use the index of the item together with the last part of the object identifier as the DWORD value "attId."

Technical support for x64-based versions of Microsoft Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Modification Type:MinorLast Reviewed:6/23/2006
Keywords:kbtshoot kbprb KB913539 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.