User cannot create accounts on Active User and computer

  • Article

發生原因 : 可能為大量建立帳號或是使用非正常方式還原DC導致,原來RID pool序號應該每台是根據RID Master發出的序號
如何看DC RID Pool是否正常可以由Dcdiag /v log找到以下

客戶在在AD2上是可以建立帳號的,因為pool ID 正確
Starting test: RidManager
         * Available RID Pool for the Domain is 5111 to 1073741823
         * ads.pglamer.com.tw is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4611 to 5110
         * rIDPreviousAllocationPool is 4611 to 5110
         * rIDNextRID: 4611
         ......................... AD2 passed test RidManager

而AD1的下一個要發的 ID是 4610 目前Pool值已經空了
Starting test: RidManager
         * Available RID Pool for the Domain is 5111 to 1073741823
         * ads.pglamer.com.tw is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4111 to 4610
         * rIDPreviousAllocationPool is 4111 to 4610
         * rIDNextRID: 4610
         * Warning :Next rid pool not allocated
* Warning :There is less than 0% available RIDs in the current pool

此問題通常由程式建立大量帳號DC來不及跟RID要取500 ID pool,或是這台DC曾經做過system states的還原

解決方式
請在AD1上執行以下步驟

a-1. Please add the following registry value on the domain controller MERCURY. (If your OS is Windows 2000)

          HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow System Only
Change
          Type: REG_DWORD
          Value: 0x1 

a-2. If OS is Windows 2003 server, please install support tools from Windows 2003 source CD
It will be there <CD-Rom Driver>:\SUPPORT\TOOLS\SUPTOOLS.MSI
After install support tools, please following below steps.
1. Start LDP.exe and go to Connection and choose Connect. Then go to Connection and choose Bind to the DS server that you want to modify. Make sure that you are a schema administrator.
2. After you connect to and then authenticate your computer that has the selected Lightweight Directory Access Protocol (LDAP), locate the Browse menu. Then, select the Modify option.
3. Leave the DN blank. Then, type "schemaUpgradeInProgress" (without the quotation marks) in the Attribute field. In the Values field, type "1" (without the quotation marks).
4. Select the "Add" operation, and then press the ENTER button. Note When you press the ENTER button, you add this command to the entry list.
5. Select Run. Note You will receive a "Modified" message when you have finished.

b. Don't reboot the server. We can modify the RID pools attributes now.
We can see DCDIAG Log

Starting test: RidManager
         * Available RID Pool for the Domain is 5111 to 1073741823
         * ads.pglamer.com.tw is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4111 to 4610
         * rIDPreviousAllocationPool is 4111 to 4610
         * rIDNextRID: 4610
         * Warning :Next rid pool not allocated
         * Warning :There is less than 0% available RIDs in the current pool
c. Please set the values as below:
We will ignore the 4611 to 5110 pool, and start it from 5111 pool. The number of the RIDs added is 500.

The NextRID should be: 5111.
The ridallocationpool should also be: 15EA000013F7 (24094766535671) 5111-5610  新的<--------(5111+499=5610)
15EA=5610
13F7=5111

15EA000013F7=24094766535671

The ridpreviousallocationpool should be: 12020000100F (19799799238671) 4111-4610  舊的 <--------
1202=4610
100F=4111
12020000100F =19799799238671

d.Use Adsiedit.msc midify value:

1. Open Adsiedit.msc on the domain controller ADS.
2. Expand to Domain NC -> OU=Domain Controllers -> CN=AD1.
3. Go to the right pane, and right click CN=RID Set.

Example:

image

Choose properties.
4. In the Attributes tab, choose Mandatory for the type, and then in the property
field, choose the above 3 attributes in color:

rIDAllocationPool: 24094766535671 <-----------------5111-5610 
rIDNextRID: 5111
rIDPreviousAllocationPool: 19799799238671<-----------------4111-4610 

5. Set their value the same as listed above in color. Click the Apply button to make the resetting successful.
6.After changing the three attribute values, let's expand other object: 
Domain NC Partition,DC=pglamer,DC=com,DC=tw,CN=System.
On the right panel, you can see the object CN=RID Manager$ .

Example:

image

Right click on it, choose Properties.
7. Locate the attribute rIDAvailablePool. Make sure its value is Then change the value to 4611686014132425719 (5111 to 1073741823).
5111 to 1073741823
5111=13F7
1073741823=3FFFFFFF
3FFFFFFF000013F7=4611686014132425719
rIDAvailablePool=4611686014132425719

8.Reboot machine
d.change the value back:

a-1. Please add the following registry value on the domain controller MERCURY. (If your OS is Windows 2000)

          HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow System Only
Change
          Type: REG_DWORD
          Value: 0x0 

a-2. If OS is Windows 2003 server, please install support tools from Windows 2003 source CD
It will be there <CD-Rom Driver>:\SUPPORT\TOOLS\SUPTOOLS.MSI
After install support tools, please following below steps.
1. Start LDP.exe and go to Connection and choose Connect. Then go to Connection and choose Bind to the DS server that you want to modify. Make sure that you are a schema administrator.
2. After you connect to and then authenticate your computer that has the selected Lightweight Directory Access Protocol (LDAP), locate the Browse menu. Then, select the Modify option.
3. Leave the DN blank. Then, type "schemaUpgradeInProgress" (without the quotation marks) in the Attribute field. In the Values field, type "0" (without the quotation marks).
4. Select the "Add" operation, and then press the ENTER button. Note When you press the ENTER button, you add this command to the entry list.
5. Select Run. Note You will receive a "Modified" message when you have finished.