Q: What do I need to watch out for in managing the RID pool used in an AD domain? Or is this all done auto-magically?

A: In a Windows Active Directory (AD) domain, the process of generating unique Relative IDs (RIDs) is a single-master operation that's assigned to one specific domain controller (DC). This DC is then referred to as the RID master of the domain. The RID master can be hosted on either a DC or a Global Catalog (GC).

Related: How can I check the status of the Relative Identifier (RID) pool on a domain controller (DC)?

The RID master gives a pool of RIDs to each of the other DCs in the domain and keeps track of the sets of allocated RIDs for each DC. The domain-level RID pool controlled by the RID master can hold approximately one billion RIDs.

RIDs are never reused because the RID can't be reclaimed after a security principal is deleted. Reusing a RID could lead to unauthorized access to resources if the resources' access control settings referred to previously issued security IDs (SIDs) and RIDs.

The RID master gives every DC a pool of 500 RIDs at a time. When a new domain account or group is created, the DC assigns the new account a SID and a RID that's taken from its local allocated RID pool. When a DC's RID pool begins to run low, it automatically asks the RID master for another block of RIDs.

Problems occur when a DC has used all RIDs in its local RID pool and can't obtain a new pool from the RID master because of, for example, network problems. The DC won't be able to create new security principals until a new local RID pool is obtained. In this case, event 16645 and optionally event 16651 will be logged in the Directory Services event log of the DCs that can't acquire new RID pools.

To reduce the chance of running out of RIDs, you can increase the number of RIDs that are allocated by the RID master to each DC's RID pool by adjusting the RID Block Size value (REG_DWORD) on the RID master DC. The RID Block Size value is located in the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values

If you change the RID Block Size value, you should configure the new value not only on the RID master DC but also on all other DCs in your domain so that if the RID master needs to be transferred to another DC, the RID Block Size will be consistent on all DCs without additional updates.

Windows presets the RID Block Size registry subkey value to 0, which means that the internal default of 500 is used. You can't use the RID Block Size to set RID pool values lower than 500: It always defaults to 500. You can only use it to set higher RID pool values. On pre-SP4 Windows 2000 machines, there was a flaw in the RID threshold compare logic that caused RID Block Size values higher than 500 to revert back to the default allocation of 500, but this problem was fixed starting with Windows 2000 SP4.

Related: What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security?

Windows 2000 DCs request a new RID when 20 percent of their RID pool remains. Starting with Windows 2000 SP4, Microsoft increased the threshold at which DCs request a new RID pool to 50 percent. Therefore, a post–Windows 2000 SP4 DC with a default pool size of 500 requests a new pool when 250 RIDs have been consumed.

To close, I want to share some practical thoughts on the domain-level RID pool that's controlled by the RID master and that can hold approximately one billion SIDs. If your domain were ever to reach the one billion RID limit, it wouldn't be able to create new user, group, or computer accounts. Agreed, there's very little chance that any AD installation would ever reach this limit. Still, it won't hurt to make sure that you don't have provisioning systems or scripts that automatically and accidentally bulk-create user, group, or computer accounts and that all of sudden could eat a large piece of your RID pie.

To give you some piece of mind, you can also check how many RIDs your RID master has already issued by using the Dcdiag command-line tool that's available on every Windows 2008 AD DC. In Windows 2003, the Dcdiag tool is included in the Support Tools that are available from the product CD. In Windows 2000, Dcdiag is part of the Resource Kit. You can also download it from the Microsoft online Download Center. To check the RID allocation with Dcdiag, type the following at a command prompt:

dcdiag.exe /test:ridmanager /v

Figure 1 shows the results of the command; the RID allocation appears in the RidManager section.

Figure 1: Using Dcdiag to see the RID pool allocation (click image to enlarge)
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.