Follow me and learn Windows Server 2012 – Relative ID (RID) Improvements

  • Article

Hi, it is Bruce again!  With the release Windows Server 2012 we all have to start learning the new features of the product.    So tonight I am studying about RID improvements.  Below are some resources to bring you to speed at the same time.    

These improvements have been needed for quite some time. We now finally have a way to handle RID Pool exhaustion. Some cool things we added:

  • Alert when you start to run out of RID
  • A soft ceiling to allow the administration to take action before they run out
  • Double the number of RID available

Relative ID (RID) Improvements

https://technet.microsoft.com/en-us/library/hh831477.aspx

The following RID improvements in Windows Server 2012 provide greater ability to react to any potential exhaustion of the global RID pool space:

  • Periodic RID consumption warning
    • At 10% of remaining global space, system logs informational event
      • First event at 100,000,000 RIDs used, second event logged at 10% of remainder
        • Remainder = 900,000,000
        • 10% of remainder = 90,000,000
      • Second event logged at 190,000,000
        • Existing RID consumption plus 10% of remainder
    • Events become more frequent as the global space is further depleted
  • RID Manager artificial ceiling protection mechanism
    • A soft ceiling that is 90% of the global RID space and is not configurable
    • The soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued
    • Blocks further allocations of RID pools
      • When the ceiling is reached, system sets msDS-RIDPoolAllocationEnabled attribute of the RID Manager$ object to FALSE. An administrator must set it back to TRUE to override.
    • Log an event indicating that the ceiling is reached
      • An initial warning is logged when the global RID spaces reaches 80%
    • The attribute can only be set to FALSE by the SYSTEM and is mastered by the RID master (for example, write it against the RID master)
      • Domain Admin can set it back to TRUE

Note: It is set to TRUE by default

  • Increased the global RID space per domain, doubling the number of security principals that can be created throughout the lifetime of a domain from 1 billion to 2 billion.

Managing RID Issuance

https://technet.microsoft.com/en-US/library/jj574229

New features in Active Directory Domain Services in Windows Server 2012, Part 14: RID improvements

https://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-14-rid-improvements.aspx