Nov 17

Windows 2012 RID Management

While “1 Billon RIDs should be enough for anyone,” there are scenarios where a domain could run out of RIDs. This is a “very bad thing” since every security principal requires a RID for creation (Domain SID + RID = security principal SID).  One can check the number of RIDs remaining in a domain through many different tools (PowerShell).

DCDIAG:

Dcdiag.exe /TEST:RidManager /v | find /i “Available RID Pool for the Domain”

 

########################
# Get Domain RID Info #
#######################
## Based on code From https://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
Import-Module ActiveDirectory
Write-Verbose “Get RID Information from AD including the number of RIDs issued and remaining `r “
$RIDManagerProperty = Get-ADObject “cn=rid manager$,cn=system,$ADDomainDistinguishedName” -property RIDAvailablePool -server ((Get-ADDomain $DomainDNS).RidMaster)
$RIDInfo = $RIDManagerProperty.RIDAvailablePool
[int32]$TotalSIDS = $RIDInfo / ([math]::Pow(2,32))
[int64]$Temp64val = $TotalSIDS * ([math]::Pow(2,32))
[int32]$CurrentRIDPoolCount = $RIDInfo – $Temp64val
$RIDsRemaining = $TotalSIDS – $CurrentRIDPoolCount

$RIDsIssuedPcntOfTotal = ( $CurrentRIDPoolCount / $TotalSIDS )
$RIDsIssuedPercentofTotal = “{0:P2}” -f $RIDsIssuedPcntOfTotal
$RIDsRemainingPcntOfTotal = ( $RIDsRemaining / $TotalSIDS )
$RIDsRemainingPercentofTotal = “{0:P2}” -f $RIDsRemainingPcntOfTotal

Write-Output “RIDs Issued: $CurrentRIDPoolCount ($RIDsIssuedPercentofTotal of total) `r “
Write-Output “RIDs Remaining: $RIDsRemaining ($RIDsRemainingPercentofTotal of total) `r “

Windows Server 2012 provides the capability to expand the RID pool to 2 billion RIDs by reclaiming the 31st bit (through SidCompatibilityVersion). Of course, this is a last resort scenario since a domain of all 2012 DCs is highly recommended (though 2003 and newer have a hotfix for supporting this “feature”).

Windows 2012 provides several RID protection mechanisms:

  • Artificial RID ceiling of 10% of maximum (107,374,183 RIDs remaining) preventing new RIDs from being delivered from the RID Master.
  • Constant warnings at 1% of maximum – Events are logged whenever a DC request RIDs and on the RID Master when providing RID blocks.
  • Block size cap – sets a maximum valid value for DC RID pool request size (default: 500 RIDs). Note that 2012 introduces a max RID pool request of 15,000.

All of the details at the ASKDS Blog:
ASKDS covers Windows Server 2012 RID Expansion

 

(Visited 190 times, 1 visits today)