다음을 통해 공유


Overview of RID pools for the domain

A short one today. A customer had concerns about the RID Pool administration in his domain. Brief refresher: DCs create security principals such as users, computers and groups, and each one of these must have a unique security identifier a.k.a. as SID. A SID for a domain security principal is built from two parts: the domain SID, and a relative identifier (integer) called a RID. Each DC gets its own unique pool of 500 RIDs to distribute, and when there are 100 or less left over, the DC asks a new pool of 500 RIDs in reserve. Asks it where? At the RID master, of course. If you want to know more, the details are here.

I wrote a quick script to get an overview of the RID pools for all DCs of the current domain:

[powershell]
$properties = "ridAllocationPool","rIDNextRID","rIDPreviousAllocationPool","ridUsedPool"
Get-ADDomainController -Filter * | ForEach-Object {
$dc = $_.hostname
if (-not (Test-NetConnection -ComputerName $dc -Port 389 -ErrorAction SilentlyContinue).TcpTestSucceeded)
{
Write-Warning "Cannot reach $dc on LDAP, skipped."
return
}

$ridsetDN = "CN=Rid Set,$($_.ComputerObjectDN)"
try {
$ridobject = Get-ADObject -Server $_.hostname -filter * -SearchBase $ridsetDN -SearchScope Base -Properties $properties
} catch {
Write-Warning "DC $dc has no RID Pool. It's an RODC or dcpromo has not completed yet."
return
}

$poolEnd = ($ridObject.rIDPreviousAllocationPool -band 0xffffffff00000000) / 0x100000000
$poolStart = $ridObject.rIDPreviousAllocationPool -band 0xffffff
$nextPoolEnd = ($ridObject.ridAllocationPool -band 0xffffffff00000000) / 0x100000000
$nextPoolStart = $ridObject.ridAllocationPool -band 0xfffffff

[PSCustomObject] @{
hostname = $dc
nextRid = $($ridObject.ridNextRid)
poolStart = $poolStart
poolEnd = $poolEnd
nextPoolStart = $nextPoolStart
nextPoolEnd = $nextPoolEnd
}
} | Out-GridView
[/powershell]

We start with getting a list of all DCs. We need to visit each one, because some attributes that we need are local to the DC and are not replicated. This is about a large domain, so I needed to filter out DCs that may be offline or even firewalled. The Test-Netconnection commandlet does this for me. Note that this only exists on 2012 R2 and higher. The next thing that tripped me up was the occasional RODC that has no RID administration (why not?). The final bit of trickery is extracting two RID pools: the current one held in attribute rIDPreviousAllocationPool (yes, I know... unfortunate naming) and the next one in ridAllocationPool. These attributes are both 64-bit integers where the low part has the start, and the high part the end of the pool. At the end, we put the data in the pipeline for further processing. In this case we view the data using Out-Gridview, but feel free to use Export-CSV instead to save the data into a convenient CSV file.

The result looks like this in one of my test domains:

Rid Pool Illustration

All RID pools are close to each other. DC6 and DC7 have the same values for the current pool and the next one, meaning that they have not asked for the next pool yet. DC4 is different. As you can see from nextRid which indicates the next RID to be used for SID creation, it is issuing from the final 100 of the current pool, and has already retrieved the next pool. On average, 1 of 5 DCs will have a next pool already allocated, so that my domain of three DCs has a DC with different pools is a lucky coincidence.

Comments

  • Anonymous
    April 17, 2018
    Hello.I have this issue;* rIDAllocationPool is 1100 to 1599 * rIDPreviousAllocationPool is 1100 to 1599 * rIDNextRID: 1599 * Warning :Next rid pool not allocated * Warning :There is less than 0% available RIDs in the current poolHow can I fix it?
    • Anonymous
      April 26, 2018
      Hi, this happens when the RID master is not available. Either your DC has no network connection to the DC holding the RID master, or the RID master itself is gone. To find out which DC has which roles, create an elevated command prompt and type: netdom query fsmo. If the RID master no longer exists, you need to seize the role.
  • Anonymous
    April 19, 2018
    With regards to the RODC and RID Pool, could be because a RODC cannot hold a RID pool as it cannot allocate a RID (for example when a desktop admin at a remote site (containing only RODC) want to join a computer to the domain. if the RODC held a RID pool and therefore gave this RID out (so the workstation could join the domain) then this information would have to be replicated 'out' to the read-write DCs. Assuming the WAN link was down to this remote site when the desktop admin was adding the computer to the domain if the RODC was capable of giving out a RID and allowing the computer to join the domain this RODC would then have a new record (Computer object and its associated new SID) which all other DCs and would therefore have to replicate this out to the RWDC when they are back online (WAN back up). As RODC are not supposed to replicate out changes to AD, I assume (correct me if you found otherwise) the RODC cannot hold a RID Pool)
    • Anonymous
      April 26, 2018
      True. An RODC cannot create users, computers or groups, and has no use for a RID pool. AFAIK it does not ask for one either, although I did not bother to check ;)