{"id":512,"date":"2012-11-17T15:17:15","date_gmt":"2012-11-17T20:17:15","guid":{"rendered":"http:\/\/adsecurity.org\/?p=512"},"modified":"2014-11-13T22:15:08","modified_gmt":"2014-11-14T03:15:08","slug":"windows-2012-rid-management","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=512","title":{"rendered":"Windows 2012 RID Management"},"content":{"rendered":"<p>While \u201c1 Billon RIDs should be enough for anyone,\u201d there are scenarios where a domain could run out of RIDs. This is a \u201cvery bad thing\u201d since every security principal requires a RID for creation (Domain SID + RID = security principal SID).\u00a0 One can check the number of RIDs remaining in a domain through many different tools (<a href=\"http:\/\/blogs.metcorpconsulting.com\/tech\/?p=321\">PowerShell<\/a>).<\/p>\n<p>DCDIAG:<\/p>\n<blockquote><p>Dcdiag.exe \/TEST:RidManager \/v | find \/i \u201cAvailable RID Pool for the Domain\u201d<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<blockquote><p>########################<br \/>\n# Get Domain RID Info #<br \/>\n#######################<br \/>\n## Based on code From https:\/\/blogs.technet.com\/b\/askds\/archive\/2011\/09\/12\/managing-rid-pool-depletion.aspx<br \/>\nImport-Module ActiveDirectory<br \/>\nWrite-Verbose \u201cGet RID Information from AD including the number of RIDs issued and remaining `r \u201c<br \/>\n$RIDManagerProperty = Get-ADObject \u201ccn=rid manager$,cn=system,$ADDomainDistinguishedName\u201d -property RIDAvailablePool -server ((Get-ADDomain $DomainDNS).RidMaster)<br \/>\n$RIDInfo = $RIDManagerProperty.RIDAvailablePool<br \/>\n[int32]$TotalSIDS = $RIDInfo \/ ([math]::Pow(2,32))<br \/>\n[int64]$Temp64val = $TotalSIDS * ([math]::Pow(2,32))<br \/>\n[int32]$CurrentRIDPoolCount = $RIDInfo \u2013 $Temp64val<br \/>\n$RIDsRemaining = $TotalSIDS \u2013 $CurrentRIDPoolCount<\/p>\n<p>$RIDsIssuedPcntOfTotal = ( $CurrentRIDPoolCount \/ $TotalSIDS )<br \/>\n$RIDsIssuedPercentofTotal = \u201c{0:P2}\u201d -f $RIDsIssuedPcntOfTotal<br \/>\n$RIDsRemainingPcntOfTotal = ( $RIDsRemaining \/ $TotalSIDS )<br \/>\n$RIDsRemainingPercentofTotal = \u201c{0:P2}\u201d -f $RIDsRemainingPcntOfTotal<\/p>\n<p>Write-Output \u201cRIDs Issued: $CurrentRIDPoolCount ($RIDsIssuedPercentofTotal of total) `r \u201c<br \/>\nWrite-Output \u201cRIDs Remaining: $RIDsRemaining ($RIDsRemainingPercentofTotal of total) `r \u201c<\/p><\/blockquote>\n<p>Windows Server 2012 provides the capability to expand the RID pool to 2 billion RIDs by reclaiming the 31st bit (through SidCompatibilityVersion). Of course, this is a last resort scenario since a domain of all 2012 DCs is highly recommended (though 2003 and newer have a hotfix for supporting this \u201cfeature\u201d).<\/p>\n<p>Windows 2012 provides several RID protection mechanisms:<\/p>\n<ul>\n<li>Artificial RID ceiling of 10% of maximum (107,374,183 RIDs remaining) preventing new RIDs from being delivered from the RID Master.<\/li>\n<li>Constant warnings at 1% of maximum \u2013 Events are logged whenever a DC request RIDs and on the RID Master when providing RID blocks.<\/li>\n<li>Block size cap \u2013 sets a maximum valid value for DC RID pool request size (default: 500 RIDs). Note that 2012 introduces a max RID pool request of 15,000.<\/li>\n<\/ul>\n<p>All of the details at the ASKDS Blog:<br \/>\n<a href=\"https:\/\/blogs.technet.com\/b\/askds\/archive\/2012\/08\/10\/managing-rid-issuance-in-windows-server-2012.aspx?Redirected=true\">ASKDS covers Windows Server 2012 RID Expansion<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While \u201c1 Billon RIDs should be enough for anyone,\u201d there are scenarios where a domain could run out of RIDs. This is a \u201cvery bad thing\u201d since every security principal requires a RID for creation (Domain SID + RID = security principal SID).\u00a0 One can check the number of RIDs remaining in a domain through &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=512\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,2],"tags":[216,279,277,276,280,278,47],"class_list":["post-512","post","type-post","status-publish","format-standard","hentry","category-powershell","category-technical-reference","tag-fsmo","tag-getridusage","tag-relativeidentifier","tag-rid","tag-ridceiling","tag-ridmaster","tag-windowsserver2012","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=512"}],"version-history":[{"count":2,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/512\/revisions"}],"predecessor-version":[{"id":514,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/512\/revisions\/514"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}