While testing a script to create ~800 AD acocunts on a Windows 2008 server the following Error came up:
The directory service has exhausted the pool of relative identifiers
After this all dsadd attempts result in a pause of ~10 seconds and
dsadd failed:The specified domain either does not exist or could not be contacted.
After restarting the server the first dsadd gives the "exhausted the pool" message, followed by the "does not exist or could not be contacted"
In the event logs I see
The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool.
And
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
" The requested FSMO operation failed. The current FSMO holder could not be contacted.
"
Checking RID/PDC/infrastructure FSMO roles shows them all assigned to this server (it is a single server AD domain) so what else could be causing this problem? I've restarted the server, but the issue persists.
Best Answer
New RIDs appear not to be being generated.
This suggests either the RID service is broken, or the RID master role is not correctly asigned to this server, regardless of what your checks indicate.
I'd suggest running 'netdom query fsmo' to double check the RID master role holder
Are there any errors in the event logs for services failing to start?