Last night, I wrote a post about how a little logical thinking was required in order to resolve some issues with the dcdiag.exe utility from the Windows Server 2003 Support Tools.
Since then, I’ve been examining the dcdiag test results and was a little alarmed to find that two of the domain controllers (DCs) for the domain that I intend to migrate several hundred users into were reporting a lack of available RIDs:
Starting test: RidManager
* Available RID Pool for the Domain is 17352 to 1073741823
* domaincontrollername.domainname.tld is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14352 to 14851
* rIDPreviousAllocationPool is 12352 to 12851
* rIDNextRID: 12849
* Warning :There is less than 1% available RIDs in the current pool
……………………. domaincontrollername passed test RidManager
For anyone who doesn’t appreciate the potential significance of this, relative identifiers (RIDs) are necessary in order to create new Active Directory objects. Because Active Directory uses a multi-master model, any DC can create an object, which is then replicated between the various DCs in the organisation. Objects are actually identified by their SID, part of which includes the domain identifier, and part of which is the RID. In order to maintain uniqueness, the generation and allocation of RIDs is controlled by the DC holding the RID Master role for the domain, allocating pools of 500 (by default) RIDs to DCs for use when generating the SIDs for new objects. Still with me? Microsoft knowledge base article 305475 has more details.
Active Directory DCs (at Windows 2000 SP4 and later revisions) request a new RID pool from the RID master once the pool is 50% depleted, so 1% of available RIDs concerned me somewhat. Other tests had confirmed that replication was working, and switching the RID Master role to another DC didn’t appear to make any change. I also checked to see that there were no duplicate SIDs in the domain. As it happens, everything was working normally but the labels, and the warning, are very confusing. This is what I found:
- rIDPreviousAllocationPool is not, as the name suggests, the last pool that was used – it’s actually the RID pool that is currently being used. So, in the example above, 12352 to 12851 is the list of RIDs currently being allocated. When this becomes exhausted (rIDNextRID gives an indication of how soon this will occur), Windows copies rIDAllocationPool into rIDPreviousAllocationPool and starts using the new RIDs as needed. There is a global RID pool size limit that the RID Master can allocate from (the Available RID Pool).
- rIDAllocationPool is the next batch of RIDs to be used (supplied by the RID Master). In this case, 14352 to 14851 will be the next batch of RID numbers (500 in the pool) for this DC. This is generated automatically via a request to the RID Master once the pool is 50% depleted.
- rIDNextRID is the last RID allocated (not the next one to be allocated). So the next object to get created in the example above will get RID 12850.
I tested this by creating some new users and running further tests with dcdiag.exe, observing the DC reach the end of the pool and then start using the next pool (originally called rIDAllocationPool):
Starting test: RidManager
* Available RID Pool for the Domain is 17352 to 1073741823
* domaincontrollername.domainname.tld is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14352 to 14851
* rIDPreviousAllocationPool is 12352 to 12851
* rIDNextRID: 12851
* Warning :There is less than 0% available RIDs in the current pool
……………………. domaincontrollername passed test RidManager
Starting test: RidManager
* Available RID Pool for the Domain is 17352 to 1073741823
* domaincontrollername.domainname.tld is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14352 to 14851
* rIDPreviousAllocationPool is 14352 to 14851
* rIDNextRID: 14352
……………………. domaincontrollername passed test RidManager
Once I have created another 249 or so users, I should see a new rIDAllocationPool generated.
Just to be sure that I understood this fully, I installed acctinfo.dll, after which I could clearly see the RID at the end of the SID for the test user account (when viewing the Additional Account Info tab on the user properties in Active Directory Users and Computers).
In short, if you see a message about less than a certain percentage of RIDs in the current pool, don’t worry about it (as long as rIDAllocationPool is different to rIDPreviousAllocationPool)! The pool will gradually be used until it reaches 0% and tips over into the next allocation. The problem is the confusing language used (rIDAllocationPool should really be rIDNextAllocationPool, rIDPreviousAllocationPool should really be rIDCurrentAllocationPool and rIDNextRID should be rIDPreviousRID).
RIDs are not mandatory to create *ANY* new object in AD, only security objects have an SID.
The official MOC documentation says that a DC asks the RID master for a new block of SIDs when there are only 100 left in its pool.
Thanks for the clarification Martin – you’re correct that SIDs are only required for security objects but generally that’s what the majority of AD objects are, particularly in my case where I needed to migrate several hundred users into the domain.
As for the issuance of a block of RIDs (not SIDs), it’s not unknown for the MOC materials to be incorrect (a link would be useful); however the best advice I have is that the behaviour changed at Windows Server 2000 service pack 4, as detailed in Microsoft knowledge base article 316201:
Mark