| Event Id | 16650 |
| Source | sam. |
| Description | The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 may retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure. |
| Event Information | According to Microsoft: When you use Dcpromo.exe to create a new domain controller replica in a forest consisting of a single domain and one existing domain controller, you may receive an "Access Denied" error message when you use Dssite.msc to replicate from the new domain controller to the existing one. In addition, the new domain controllers Directory Service log may record Error 16650. CAUSE: This behavior can occur when the existing domain controller was previously a Microsoft Windows NT Server 4.0-based primary domain controller (PDC) that was upgraded to be a Windows 2000-based domain controller. In this situation, the "Access this computer from the network" user right is granted only to the following groups: 1) Administrators 2) Backup Operators 3) Domain Users RESOLUTION: To resolve this behavior, grant the Enterprise Admins group the user right "Access this computer from the network", and then refresh the security policy. |
| Reference Links | Replicating from New Domain Controller to Existing One Returns Access Denied; Log Shows Error 16650 |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.