Aa per Microsoft: "When you use Dcpromo.exe to create a new domain controller replica in a forest consisting of a single domain and one existing domain controller, you may receive an "Access Denied" error message when you use Dssite.msc to replicate from the new domain controller to the existing one. In addition, the new domain controller's Directory Service log may record Error 16650". See ME285836
, and ME822053
to resolve this problem.
From a newsgroup post: "I just had this situation last week and I got out of it successfully. It sounds like you took the route I did when retiring my old server. This is to say that you most likely never demoted the old server gracefully and it still appears in you AD database. There is no need to worry. If you are no longer planning to have the retired server in your domain, transfer the FSMO roles to the new server and then use ntdsutil.exe to cleanup the Metadata of the outgoing server. Read these three articles closely: ME216498
If you did demote the old machine before reinstalling, run "netdom query fsmo" from the command prompt to determine who owns the RID master role. Netdom.exe is part of the support tools that comes with your server media. Sometimes FSMO roles do not transfer gracefully to another replica when you demote a DC that holds a role. In that, case you will need to seize the role".
From a newsgroup post: "Check and make sure that the FSMO role RID Master is available and operational in the domain. By default, this is created on the first DC that was created in the domain. You can determine who the RID Master is supposed to be by bringing up AD Users and Computers and right clicking on the domain and selecting Operations Masters. The RID role should be on a DC in your domain. If it is not, you may have removed the DC that it was originally on, but did not transfer it before the removal. In this case, you will have to use ntdsutil to seize the role to a current operational DC".
From a newsgroup post: "In case you encounter this error after you performed a backup restore, as you may know each DC has a pool of RIDs to create security principals (users, groups, and computers). When a DC is restored, an old RID pool might also be restored. To make sure it is not re-used, the DC dumps it and request a new one. The FSMO role that hands out RID pools is the RID master. Your RID master MUST be available as the first DC in your recovery steps. Read “Active Directory Forest Recovery“ for information on AD recovery".
shows information on how to find servers that hold Flexible Single Master Operations Roles.