Event ID 16646 — RID Pool Request

  • Article

Applies To: Windows Server 2008

Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID.

Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.

Event Details

Product: Windows Operating System
ID: 16646
Source: SAM
Version: 6.0
Symbolic Name: SAMMSG_INVALID_RID
Message: The computed account identifier is not valid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool.

Resolve

Invalidate the account identifier pool that is owned by the domain controller

The account identifier is not valid because it is out of the range of the current relative ID (RID) pool. To resolve this issue, you must invalidate the account identifier pool that is owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool. Perform the following procedure using the computer that is logging the event to be resolved.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To invalidate the local domain controller's RID pool:

  1. Click Start, click Run, type C:, and then press ENTER.

  2. Click File, click New, and then click Folder.

  3. Type RIDMgmt as the name for the new folder.

  4. Open the RIDMgmt folder.

  5. Click File, click New, and then click Text Document.

  6. Type iRIDPool as the file name of the new file.

  7. Copy the following code, and then paste it as the contents of the iRIDPool file.

    ' iRIDPool.vbs for invalidating the local domain controller RID Pool

    sub Usage

    wscript.echo "Script to invalidate the domain controller's RID pool."

    wscript.echo "Usage: cscript iRIDPool.vbs"

    wscript.quit -1

    end sub

    ' Get the command line arguments

    Set Args = Wscript.Arguments

    ' Validation and Usage

    if Args.Count > 0 then

    if Args(0) = "/?" or Args(0) = "-?" then

    wscript.echo "Help Requested"

    wscript.echo ""

    Usage

    end if

    end if

    Set oRootDSE = GetObject("LDAP://RootDSE")

    strNamingContext = oRootDSE.Get("defaultNamingContext")

    ' --- Define the attributes to be returned from the query ---

    strAttributes = "objectSid"

    '--- Set up the connection ---

    Set oConnection = CreateObject("ADODB.Connection")

    Set oCmd = CreateObject("ADODB.Command")

    oConnection.Provider = "ADsDSOObject"

    oConnection.Open "ADs Provider"

    Set oCmd.ActiveConnection = oConnection

    '--- Build the query string ---

    strADOQuery = "<LDAP://" + strNamingContext + ">;(objectClass=DomainDNS);" + strAttributes + ";subtree"

    oCmd.CommandText = strADOQuery

    oCmd.Properties("Page Size") = 1000

    '--- Execute the query for the user in the directory ---

    Set oRecordSet = oCmd.Execute

    ' Assume we find nothing

    SearchHit = 0

    While Not oRecordSet.EOF

    For Each oField In oRecordSet.Fields

    'Output each field and value to the debug window

    ' Remember not to print empty search warning

    SearchHit = 1

    if (oField.Name = "objectSid") then

    DomainSID = oField.Value

    end if

    Next

    wscript.echo "Invalidating RID Pool..."

    oRootDSE.Put "invalidateRidPool", DomainSID

    oRootDSE.SetInfo

    wscript.echo "RID Pool Invalidated"

    oRecordSet.MoveNext

    Wend

    ' Warn of empty search if no hits

    if SearchHit <> 1 then

    wscript.echo "DomainSid not found on the DomainDNS object under " & strNamingContext & "!"

    wscript.quit 0

    end if

  8. Click File, and then click Save As.

  9. In Save as type, select All Files.

  10. In File name, type iRIDPool.vbs, and then click Save.

  11. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  12. At the command prompt, type cd /d c:\RIDMgmt, and then press ENTER.

  13. Type cscript iRIDPool.vbs, and then press ENTER. The script alerts when the RID Pool is invalidated.

  14. Log off the domain controller.

Note: Individual domain controllers maintain local RID pools that are obtained from a global pool on the RID operations master. By default, RID pools are obtained in increments of 500. When a RID pool is invalidated, all remaining unique RIDs in that pool are unusable, which consequently reduces the number of accounts that can be created in the domain. The maximum number of accounts that can exist in an Active Directory domain is approximately 2 billion.

Verify

When the relative ID (RID) operations master successfully allocates a RID pool (a set of unique identification numbers) to a domain controller, the domain controller logs Event ID 16648 to Event Viewer. You can also use the dcdiag command to verify the RID master has properly assigned a RID pool to a domain controller. To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. To confirm a RID pool assignment to a domain controller 

  1. Open a Command Prompt as an administrator on a domain controller in the domain you want to check. To do so, click Start. In Start Search, type Command Prompt, then right click Command Prompt from the Start Menu and select Run as administrator
  2. Run the command **dcdiag /test:ridmanager /v /f:%userprofile%\desktop\**DCname_RIDpool.txt /s:DCname and press ENTER; substitute the name of the domain controller you want to test for each DCname in the command. This creates diagnostic files on the Desktop of the current user named for each domain controller tested.
  3. Open the file with Notepad or another text editor. To open the file with Notepad you can type Notepad %userprofile%\desktop\DCname_RIDpool.txt and press ENTER. If you do not have a text editor installed, you can run the command type %userprofile%\Desktop\DCname_RIDpool.txt |moreto view one screen of information at a time and use the SPACEBAR to advance one screen at a time through the file.

Look at the section of the file that reads “Starting test: RidManager.” If the domain controller received a RID allocation pool, the line that starts with “*rIDAllocationPool” should display a range of numbers; for example, “*rIDAllocationPool is 1100 to 1599.”

RID Pool Request

Active Directory