RID Pool Request

Applies To: Windows Server 2008

Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID.

Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.

Events

Event ID Source Message

16642

SAM

The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.

16643

SAM

An initial account-identifier pool has not yet been allocated to this domain controller. A possible reason for this is that the domain controller has been unable to contact the RID master domain controller, possibly due to connectivity or network problems. Account creation will fail on this domain controller until the pool is obtained.

16644

SAM

The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain.

16645

SAM

The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the RID master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the RID master domain controller may be offline or missing from the domain. Verify that the RID master domain controller is running and connected to the domain.

16646

SAM

The computed account identifier is not valid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool.

16647

SAM

The domain controller is starting a request for a new account-identifier pool.

16648

SAM

The request for a new account-identifier pool has completed successfully.

16651

SAM

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
" %1 "

RID Manager

Active Directory