Windows 2012 RID Management

While “1 Billon RIDs should be enough for anyone,” there are scenarios where a domain could run out of RIDs. This is a “very bad thing” since every security principal requires a RID for creation (Domain SID + RID = security principal SID).  One can check the number of RIDs remaining in a domain through many different tools (PowerShell).

DCDIAG:

Dcdiag.exe /TEST:RidManager /v | find /i “Available RID Pool for the Domain”

 

########################
# Get Domain RID Info #
#######################
## Based on code From https://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
Import-Module ActiveDirectory
Write-Verbose “Get RID Information from AD including the number of RIDs issued and remaining `r “
$RIDManagerProperty = Get-ADObject “cn=rid manager$,cn=system,$ADDomainDistinguishedName” -property RIDAvailablePool -server ((Get-ADDomain $DomainDNS).RidMaster)
$RIDInfo = $RIDManagerProperty.RIDAvailablePool
[int32]$TotalSIDS = $RIDInfo / ([math]::Pow(2,32))
[int64]$Temp64val = $TotalSIDS * ([math]::Pow(2,32))
[int32]$CurrentRIDPoolCount = $RIDInfo – $Temp64val
$RIDsRemaining = $TotalSIDS – $CurrentRIDPoolCount

$RIDsIssuedPcntOfTotal = ( $CurrentRIDPoolCount / $TotalSIDS )
$RIDsIssuedPercentofTotal = “{0:P2}” -f $RIDsIssuedPcntOfTotal
$RIDsRemainingPcntOfTotal = ( $RIDsRemaining / $TotalSIDS )
$RIDsRemainingPercentofTotal = “{0:P2}” -f $RIDsRemainingPcntOfTotal

Write-Output “RIDs Issued: $CurrentRIDPoolCount ($RIDsIssuedPercentofTotal of total) `r “
Write-Output “RIDs Remaining: $RIDsRemaining ($RIDsRemainingPercentofTotal of total) `r “

Windows Server 2012 provides the capability to expand the RID pool to 2 billion RIDs by reclaiming the 31st bit (through SidCompatibilityVersion). Of course, this is a last resort scenario since a domain of all 2012 DCs is highly recommended (though 2003 and newer have a hotfix for supporting this “feature”).

Windows 2012 provides several RID protection mechanisms:

  • Artificial RID ceiling of 10% of maximum (107,374,183 RIDs remaining) preventing new RIDs from being delivered from the RID Master.
  • Constant warnings at 1% of maximum – Events are logged whenever a DC request RIDs and on the RID Master when providing RID blocks.
  • Block size cap – sets a maximum valid value for DC RID pool request size (default: 500 RIDs). Note that 2012 introduces a max RID pool request of 15,000.

All of the details at the ASKDS Blog:
ASKDS covers Windows Server 2012 RID Expansion

 

My Journey to Become a Microsoft Certified Master (MCM) Part 2: The MCM Program

NOTE: I do not work for Microsoft, nor have I ever worked for Microsoft. The information in this post is my thoughts and not those of Microsoft or any other company. Unless said company read my mind and placed some thoughts there… I should buy a Dell… 🙂

The content in this post belongs to Sean Metcalf and may not be used for any purpose without express written consent by him.

Also, NOTHING in these posts will get you to pass and become a Microsoft Certified Master (MCM).  Only your knowledge & experience and internal motivation to be the best will do that. Sure, you can gleam some ideas that will help you prepare, but the MCM Program doesn’t teach to the test. You are tested on potentially anything and EVERYTHING that is Active Directory related (check the pre-reading list for topic coverage). The tests are extremely difficult. You are expected to be at the top of your game to pass.

I use both “Active Directory” and “Directory Services” interchangeably. The official certification is Microsoft Certified Master Directory Services (Windows Server 2008 R2).

This is Part 2, continued from Part 1, My Journey to Become a Microsoft Certified Master (MCM) Part 1: The Journey Begins

Arrived!

I arrived safely and checked into the motel of a hotel which is small, but serviceable. At least it is about 1 block away from the building I need to walk to every day (and 7-Eleven is 1 block the other way). I found that Safeway, an office supply store, a Thai restaurant, Red Robin restaurant, Arby’s, 5 Guys, Subway, and many other stores were about a 15 minute walk from the hotel.

The taxi from the airport was a Prius and cost about $60 to the Homewood Suites Hotel in Bellevue, WA. This sign in the taxi caught my attention.

NOTE: If you need a decent, cheap hotel to stay in during the MCM Program, the Homestead is OK.  If I had to do it again, I would seriously consider the Residence Inn which is only a few minutes more walk to the Microsoft building we were in. Homestead now has free WiFi & wired Internet, but still only provides servicing the room once a week. There’s a small, small kitchen area with a sink, microwave, stove top, and regular Refrigerator. It was suitable for my needs while there.

Sunday night I spent eating delivered pizza watching Super Bowl XLVI (46). I relaxed and didn’t read anymore figuring my brain needed a night off before the pain started. Enjoyed the game and found myself wondering if Madonna was 50 or 60 (she’s 54)…

The hotel room:


Day One: Monday (2/6/2012)
One month ago today, I started the first day at 7am to get badged, signed NDA documents, and at about 7:30am arrived in the classroom – my home for the next 2 weeks.

The Microsoft Building

There were 24 people attending this “14th Rotation” of the Directory Services Master program, 5 people from overseas (not Microsoft), 3 people from the US (not Microsoft), and 15 Microsoft PFEs from around the world (Asia, Australia, Canada, Russia, Romania, etc) . Everyone seems to have about 7-10 years AD experience (one person joked they had 15 years of AD experience since they worked with Exchange).  The PFEs are, as expected, knowledgeable and… chatty. In a good way. They are relaxed and ready for the next 14 days.  60% of the people in the room is Microsoft employed &  trained personnel from all over the world and are considered at the top of their game – this leads to some interesting customer stories (single DC for a single domain forest became corrupt… what to do…).

At around 8am MCM DS PM Ryan Conrad told us what to expect: this is the largest MCM DS class yet and based on statistics, only about 8 people will attain MCM status this rotation. Yup, 8 out of 23. Sobering words. 11 ended up passing this MCM rotation, but I’m jumping ahead. We learn that class this week is Monday – Saturday (though only 4 hours on Saturday) and we have Sunday off.  I don’t quite view Sunday as a day off considering our first test is on Monday which makes Sunday a study day for me.

Some other items Ryan pointed out (and my observations):

Continue reading

My Journey to Become a Microsoft Certified Master (MCM) Part 1: The Journey Begins

Just a quick note before I start. I do not work for Microsoft and have never worked for Microsoft. The information in this post is my thoughts and not those of Microsoft, or any other company. Unless said company read my mind and placed some thoughts there… I should buy a Dell… 🙂

The content in this post belongs to Sean Metcalf and may not be used for any purpose without express written consent by him.

Also, NOTHING in these posts will get you to pass and become a Microsoft Certified Master (MCM).  Only your knowledge & experience and internal motivation to be the best will do that. Sure, you can glean some ideas that will help you prepare, but the MCM Program doesn’t teach to the test. You are tested on potentially anything and EVERYTHING that is Active Directory related (check the pre-reading list for topic coverage). The tests are extremely difficult. You are expected to be at the top of your game to pass.

Also, I use both “Active Directory” and “Directory Services” interchangeably. The official certification is Microsoft Certified Master Directory Services (Windows Server 2008 R2).
This post is part 1 of 2. Looking for part 2?  My Journey to Become a Microsoft Certified Master (MCM) Part 2: The MCM Program

The Journey Begins:

Years ago I heard about the Microsoft Ranger program which started with an internal Microsoft group of Exchange experts (Yes, I think I will name drop here: I worked closely with Ross Smith for a while many years ago). This program grew into what is now the Microsoft Certified Master (MCM) & Microsoft Certified Architect (MCA) programs. I did consider the MCM a few years ago when it was 3 weeks long, but I couldn’t get over a few psychological barriers:  Have I worked on large enough environments? Did I know enough? Am I good enough? Three weeks is a really long time…

In early 2011, my close friend, De  challenged me with an email stating simply:

I see your future… And the future looks bright…  So what’s stopping you?
Yeah.. so anyway. What can I do to help you begin preparing for the MCM? Or what can I do to help ENCOURAGE you to prepare for your MCITP Enterprise Administrator? whichever…

In the email was a link to the MCM Program. I looked it over and remember saying to myself (because occasionally I say stuff to me & vice versa), “yes in good time”.  At that point, I still hadn’t become an MCITP, which meant I was a tad behind.
<SmallAmountOfBoasting> I mean when I picked up MCSE in 1997, I took and passed all of the required 6 tests in 6 weeks. I was a bit lazier on the Windows 2000 MCSE and spent a few months on that taking all the necessary tests to pick up the new MCSE title without the upgrade tests. The Windows 2003 MCSE seemed to take up the better part of a year due to my certification lack of focus and stubborn resistance to taking upgrade exams. Maybe that’s part of the challenge for me – doing the whole thing from scratch, forcing myself to understand the nuances from OS to OS… I digress. </SmallAmountOfBoasting>

So, in March of 2011, I committed to myself & my good friend De that I would pass all the necessary tests to become a MCITP:EA by the end of May. Oh, one other thing I forgot to mention, I had 1 year old triplets in the house at that time, so doing anything like going off in a corner to read & study was a challenge. Apparently, that’s what I needed. A good challenge. I passed the requisite 5 tests in 4 weeks (I took 2 on the first Saturday) and had achieved my goal of MCITP ahead of time as well as busting my previous personal Microsoft test-taking record.

About a month after the MCM email from my buddy D, I replied back with the link to the MCM program.

So, I think it is about time for me to step up to the big league.

At that point, I embarked on a journey towards an industry advanced certification (Microsoft Certified Master, aka MCM) that about 600 people in the world have attained. I took this journey seriously and approached it like it was a black belt in martial arts. Or becoming a Jedi Master. I’ll go with the latter.

With the MCITP:EA behind me, I looked forward to TechEd in May 2011 joined by my faithful sidekick— er, I mean best buddy, ol’ pal De While perusing the schedule of wall to wall sessions I couldn’t possibly attend unless I somehow figured out how to clone myself (and that didn’t work out so well for Micheal Keaton), although I do like pizza and the number 7…
Where was I…. Oh yeah. I discovered a small side-session off in the corner set up as a group discussion about the MCM program. They had me at MCM…

TECHED 2011
I ventured into the small session room along with about 20-30 other people interested in getting more information about the, at that time, effectively secret society known as the Microsoft Certified Masters.

This session was hosted by none other than David Burjam-Burr, Program Manager of the Exchange Masters program, I sat up front notebook ready. I learned some fascinating tidbits which also sounded a little frightening.

Here they are (all Exchange MCM related):

  • MCM became official in 10/2008 (which is when it was placed under Microsoft Learning)
  • ~4 rotations per year with about 20-30 people per rotation.
  • 3 weeks, Monday – Friday
  • Daily Agenda: 8am – 6pm + studying + homework
  • 3rd week: Friday & Saturday is final testing.
  • Qualification Lab = 6-8 hours long + lunch
  • Know the RFCs (SMTP, IMAP, POP, etc)
  • Exchange practice lab environment: On Premise + Cloud, 6 sites (networks), Multiple Orgs, multiple TMG firewalls

Screening Process:

  • Experience
  • Years at Senior Level
  • 750,000 seat deployment (Sean’s note: WOW.)
  • Register about 6 months prior to desired rotation

At least that’s what I found when reading through my chicken-scratch. It may be different by now, or not.

Needless to say, not much regarding the AD (Directory Services) stuff which I as most interested in. I think there was 1 maybe 2 other people in the room interested in the AD MCM. Oh, here’s another note to make on feel more confident about the MCM path, (yes, sarcasm): there was one MCM in the room and he didn’t pass until the 3rd test (2 retakes)! Talk about a confidence booster!

After the session I scoured the Microsoft Q&A areas attempting to seek out an MCM to ask all the MCM DS questions I had preventing me from thinking about anything else. I found one & De and I cornered him, though we were shortly humbled by his MCM-level knowledge.

Reminds me a little of a story about a couple of DJs that used to broadcast in the DC Area (Don & Mike) and a former Super Bowl winning Quarterback & Hall of Famer named Joe Theisman. They were out playing golf one day and Don & Mike were giving Joe a hard time about his golf game (as I understood it, Joe was/is the consummate competitor and was having an off day). Joe spun around at the 12th hole and got in their faces and said “Tell you what, when you have one of these you can talk sh$# until then shut the F#$$ up and play some golf”. This was said quite forcefully as he held up the oversized, diamond encrusted Super Bowl XVII ring in their faces. As I understand it, the rest of the game was rather quiet until D&M bought all the rounds at the 19th hole. Or nothing like that may have ever happened… but it makes a good story. In other words, when you have reached a level in your career, you have no need to say anything. The “Master” was gracious enough to entertain our questions and I learned the following tidbit:

Each test question takes about 2-3 hours to develop and are tested by special “test psychologists” (Psychomatricians https://en.wikipedia.org/wiki/Psychometrics). These test specialists ensure that someone who is expert at taking tests can’t pass without knowing the answer. Tough tests indeed.

I walked out of the Atlanta Convention Center that day with a new challenge.  A new purpose. I told my lovely wife that I was going to go to the MCM Directory Services program less than a year later, April 2012 (it was later moved to February). The gracious person that she is, simply said “sure, we’ll talk about it later.” Later involved me reasoning why I could go in October, mere months away. My determination kept my excitement level up as well as my ambition to become a Master.

Application Time!

I spent May & June preparing an application package for the program (many apply, not all are accepted).

The pre-requisites for the application are:

Continue reading