KnowledgeBase: You receive error ‘The directory service was unable to allocate a relative identifier’ when installing Azure AD Connect

Reading Time: 3 minutes

Azure AD Connect

Sometimes, the installation of Azure AD Connect can mess up your project deadlines in mere seconds. In this blogpost, I want to share an error that kept the admins of an organization occupied for several days, while it was relatively (har har) easy to fix.

The situation

An organization wants to configure Azure AD Connect. An admin downloads Azure AD Connect, and runs it.

On the Welcome to Azure AD Connect page, the admin selects the I agree to the license terms and privacy notice. option and hits the Continue button. On the Express Settings page, the admin clicks Customize.

The issue

On the Install required components page, the admin clicks Continue. Instead of being taken to the User Sign-in page, the admin is confronted with an error message:

Unable to install the Synchronization Service. The directory service was unable to allocate a relative identifier error in Azure AD Connect (click for original screenshot)

Unable to install the Synchronization Service. The directory service was unable to allocate a relative identifier.

In the Application Log in Event Viewer (eventvwr.exe) several events can be found with Event ID 906 and source AzureActiveDirectorySyncEngine.

The cause

This issue is caused by an absence of available relative identifiers (rIDs) in Active Directory. Azure AD Connect needs a relative identifier to create the connector account in Active Directory. All objects in Active Directory have a security identifier (sID), that is comprised of the relative identifier (rID) and the sID namespace for the domain:

This issue in Azure AD Connect may be caused by:

  1. RID Exhaustion; a total absence of available rIDs in Active Directory,
  2. A Domain Controller who has exhausted its rID pool and is unable to obtain a new rID Pool from the Domain Controller acting as the RID Pool Master, or,
  3. Mangled RID Pool Master information in Active Directory.

The solution

To solve this issue, we need to know if we’ve exhausted all the rIDs in Active Directory. This is the issue from the above list that would be most troublesome.

To get this information, we need to run the following line of commands on the Command Prompt (cmd.exe):

dcdiag /test:ridmanager /v | find /i "Available RID Pool"

The output will show you the used relative identifier compared to the maximum amount of available RIDs in the environment. If you still have available rIDs in Active Directory, then you can continue with the next step. If you’ve exhausted all rIDs, you can double the RID Pool if all your Domain Controllers run Windows Server 2008 R2 with KB2642658 installed, or newer versions of Windows Server.

If you still have available rIDs in Active Directory, you can seize the RID Pool master on a Domain Controller that is known healthy, using Windows PowerShell.

Open an elevated Windows PowerShell window on a known-good Domain Controller and run the following line of Windows PowerShell, replacing the Target-DC with the name of the Domain Controller:

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole RIDMaster -Force

Type a Y to answer the question Do you want to move the role ‘RIDMaster’ to server ‘Target-DC.domain.tld’? Then, press the Enter button.

Close the Windows PowerShell window.

Now you can install Azure AD Connect without problems.

Posted on January 11, 2021 by Sander Berkouwer in Active Directory, Entra Connect

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.