Managing RID Issuance in Windows Server 2012

By default, a domain has capacity for roughly one billion security principals, such as users, security groups, managed service accounts, and computers. If you run out, you can’t create any more.

There aren’t any domains with that many active objects, of course, but we’ve seen:

  • Provisioning software or administrative scripts accidentally bulk created users, groups, and computers
  • Many unused security and distribution groups created by delegated users
  • Many domain controllers demoted, restored, or metadata cleaned
  • Forest recoveries with an inappropriately set lower RID pool
  • The InvalidateRidPool operation performed too frequently
  • The RID Block Size registry value increased incorrectly

All of these situations use up RIDs unnecessarily, often by mistake. Over many years, a few environments ran out of RIDs and this forced customers to migrate to a new domain or revert with domain and forest recoveries.

Windows Server 2012 addresses issues with RID allocation that have become more likely with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to – in an emergency – increase the overall RID pool allocation by one bit.

See http://blogs.technet.com/b/askds/archive/2012/08/10/managing-rid-issuance-in-windows-server-2012.aspx for the remainder of this blog post by Ned Pyle.