How many RIDs are left in your domain?

  • Article

del.icio.us Tags: RID,SID,Active Directory,maximum number of accounts

Are you in danger of running out of relative identifiers (RIDs) in your domain? If you have not heard of this before, you should see Active Directory Maximum Limits - Scalability and read the section Maximum Number of Security Identifiers. Then, come back here to see how to check out how many RIDs remain to be assigned in your domain.

Update: Ned Pyle recently wrote on the Ask the Directory Services Team blog about Managing RID Pool Depletion. This is another great reference for learning about RIDs and RID consumption before you try the procedures listed here.

From a command prompt running on a domain controller, run the following command:

dcdiag /test:ridmanager /v | find /i "available RID"

That will display something like the following:

* Available RID Pool for the Domain is 12100 to 1073741823

You can add the switch

/s:hostname (where hostname is the actual name of the domain controller) to run the command remotely. Alternately, try

/s:%userdnsdomain% to connect to an available domain controller in your domain. Thanks to Dean Wells for this information.

What do you do with that information? Subtract the first number from the second and you will have the number of unique RIDs left in the global pool that can be assigned in your domain. Do not wait until the two numbers match before you make a plan to migrate to a new domain or add another domain.

You can also determine the number of RIDs that remain by using LDP. The basic steps are below:

  1. Open LDP; Connect to a domain controller in the domain you want to check and bind as a domain user.
  2. Open Tree View (View Menu) and select CN=System,YourDomainDistinguishedName.
  3. Expand the System container and double-click the RID Manager$ account record.
  4. Locate the rIDAvailablePool in the RID Manager $ record.
  5. Copy the integer you see there and paste it into the Large Integer Converter (Utilities menu)
  6. Click Run. The High Part represents the total number of RIDs that can be assigned in a domain. The Low Part represents the first RID in the next RID block that will be assigned.
  7. You can subtract the Low Part from the High Part to determine the number of RIDs you have remaining that can be assigned to security principals in your domain. This is not an exact number because RIDs are assigned in blocks of 500, by default. So the real number remaining is the number of RIDs left unassigned by each domain controller (up to 500 each) plus the number that you determine are left to be assigned by the RID Manager.

Again, do not wait until you are out (or almost out) of RIDs in order to make a plan to migrate to a new domain or create another domain. Once the RID pool is exhausted and all the RIDs left in the domain controllers are assigned, you will not be able to create a trust relationship (since doing so creates a user account to maintain the trust). RIDs are not reused, so you cannot simply delete a bunch of user accounts to get out of the situation.

This posting is provided "AS IS" with no warranties, and confers no rights.