Explain Relative Identifier Master Role in Active Directory
299 views
Skip to first unread message
kmohaan
Dec 17, 2008, 12:18:11 AM12/17/08
to Exchange User Group
Relative Identifier Master :-
The relative identifier (RID) master is a domainwide operations master
role. The RID master is responsible for allocating sequences of unique
RIDs to each domain controller in its domain and for moving objects
from one domain to another.
You can create a new security principal object (user, group, or
computer) on any domain controller. When you create a security
principal object, the domain controller attaches a unique Security ID
(SID) to the object. There are four elements of a domain SID, one of
which is the RID for the domain.
The following table describes the elements of the domain SID: S-1-5-Y1-
Y2-Y3-Y4.
Elements of a Security Identifier (SID)
SID element Description
S-1 : Indicates a revision 1 SID. At this time 1 is the only SID
revision in use.
5 : Indicates the issuing agency or issuing authority. A 5 always
indicates Windows NT, Windows 2000 Server, or Windows Server 2003
domains. Note that a well-known SID may use a 1 or 0 as the issuing
identity to signify that it is a well known SID.
Y1-Y2-Y3 : The domain identifier portion of the SID. This is the same
for every security principal object created in that domain.
Y4 :The relative ID (RID) for the domain, which represents a user name
or group. This is obtained from the RID pool on a domain controller at
the time the object is created.
RID Allocation :
Domain controllers running Windows 2000 and Windows Server 2003 have a
shared RID pool. The RID operations master is responsible for
maintaining a pool of RIDs to be used by the domain controllers in its
domain and for providing groups of RIDs to each domain controller when
necessary. When a new domain controller running Windows 2000 or
Windows Server 2003 is added to the domain, the RID master allocates a
batch of approximately 500 RIDs from the domain RID pool to that
domain controller. Each time a new security principal is created on a
domain controller, the domain controller draws from its local pool of
RIDs and assigns one to the new object. When the number of RIDs in a
domain controller’s RID pool falls below approximately 100, that
domain controller submits background requests (by means of RPC) for
additional RIDs from the domain’s RID master. The RID master allocates
a block of approximately 500 RIDs from the domain’s RID pool to the
pool of the requesting domain controller.
The RID master does not actually maintain a pool of numbers. Rather,
it maintains the highest value of the last range it allocated. When a
new request is received, it increments that value by one to establish
the low value in the new RID pool and then adds four hundred and
ninety nine to establish the new maximum value. It sends these two
values to the requesting domain controller to use as its next
allocation of RIDs.
If a domain controller’s local RID pool is empty, and it cannot
contact the domain’s RID master to request additional RIDs, the domain
controller will log event ID 16645, indicating that the maximum
account identifier allocated to the domain controller has been
assigned and the domain controller has failed to obtain a new
identifier pool from the RID master. Likewise, when attempting to add
new objects in Active Directory, such as users, computers, or domain
controllers, you might notice event ID 16650 in the System log
indicating that the object cannot be created because the directory
service was unable to allocate a relative identifier. Network
connectivity to the RID master might have been lost or the RID master
might have been removed from the network. In any case, you cannot
create new security principal objects on the domain controller until
RID pool acquisition is successful.
Cross-Domain Moves:
Migrating Active Directory objects from one domain to another requires
the availability of the RID master. You can only move an object out of
its domain if the domain’s RID master can be contacted. Requiring that
objects be moved from one domain to another by using the RID master
prevents Active Directory from creating two objects in different
domains with the same unique identifier. This might happen if one
object is moved from two domain controllers simultaneously to two
different domains.
You can use the Active Directory Migration Tool (ADMT) to perform
intraforest migrations of domain objects from one domain (the source
domain) to another (the target domain). The RID master must be online
and available in the source domain for ADMT to migrate successfully.
If the RID master is unavailable, cross-domain migration of Active
Directory objects will fail.
RID Attributes in Active Directory:
The following are RID-related attributes in Windows Server 2003 Active
Directory:
FsmoRoleOwner :
DN path: CN=RID Manager$,CN=System,DC=<domain>,DC=com
This attribute points to the Domain Name path for the current RID
master’s NTDS Settings object according to the domain controller that
is being queried.
RidAvailablePool :
DN path: CN=RID Manager$,CN=System,DC=<domain>,DC=com
This attribute defines the global RID space from which RID pools are
allocated to the RID master.
RidAllocationPool :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
Each domain controller has two RID pools: the one that they are
currently allocating from, and the pool that they will use next. This
attribute defines the RID pool that will be used in the domain when
the current RID pool is exhausted.
RidNextRid :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
This attribute defines the next free RID in the current allocation
pool that is assigned to the next security principal created on the
local domain controller. RidNextRid is a non-replicated value in
Active Directory.
RidPreviousAllocationPool :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
This attribute defines the RID pool from which the RID master actually
allocates from. The value for RidNextRid is implicitly a member of
this pool.
RidUsedPool :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
This attributed defines the RID pools that have been used by a domain
controller.
NextRid :
DN Path: DC=<domain>,DC=com
This attribute defines the next RID field used by the RID master.
The relative identifier (RID) master is a domainwide operations master
role. The RID master is responsible for allocating sequences of unique
RIDs to each domain controller in its domain and for moving objects
from one domain to another.
You can create a new security principal object (user, group, or
computer) on any domain controller. When you create a security
principal object, the domain controller attaches a unique Security ID
(SID) to the object. There are four elements of a domain SID, one of
which is the RID for the domain.
The following table describes the elements of the domain SID: S-1-5-Y1-
Y2-Y3-Y4.
Elements of a Security Identifier (SID)
SID element Description
S-1 : Indicates a revision 1 SID. At this time 1 is the only SID
revision in use.
5 : Indicates the issuing agency or issuing authority. A 5 always
indicates Windows NT, Windows 2000 Server, or Windows Server 2003
domains. Note that a well-known SID may use a 1 or 0 as the issuing
identity to signify that it is a well known SID.
Y1-Y2-Y3 : The domain identifier portion of the SID. This is the same
for every security principal object created in that domain.
Y4 :The relative ID (RID) for the domain, which represents a user name
or group. This is obtained from the RID pool on a domain controller at
the time the object is created.
RID Allocation :
Domain controllers running Windows 2000 and Windows Server 2003 have a
shared RID pool. The RID operations master is responsible for
maintaining a pool of RIDs to be used by the domain controllers in its
domain and for providing groups of RIDs to each domain controller when
necessary. When a new domain controller running Windows 2000 or
Windows Server 2003 is added to the domain, the RID master allocates a
batch of approximately 500 RIDs from the domain RID pool to that
domain controller. Each time a new security principal is created on a
domain controller, the domain controller draws from its local pool of
RIDs and assigns one to the new object. When the number of RIDs in a
domain controller’s RID pool falls below approximately 100, that
domain controller submits background requests (by means of RPC) for
additional RIDs from the domain’s RID master. The RID master allocates
a block of approximately 500 RIDs from the domain’s RID pool to the
pool of the requesting domain controller.
The RID master does not actually maintain a pool of numbers. Rather,
it maintains the highest value of the last range it allocated. When a
new request is received, it increments that value by one to establish
the low value in the new RID pool and then adds four hundred and
ninety nine to establish the new maximum value. It sends these two
values to the requesting domain controller to use as its next
allocation of RIDs.
If a domain controller’s local RID pool is empty, and it cannot
contact the domain’s RID master to request additional RIDs, the domain
controller will log event ID 16645, indicating that the maximum
account identifier allocated to the domain controller has been
assigned and the domain controller has failed to obtain a new
identifier pool from the RID master. Likewise, when attempting to add
new objects in Active Directory, such as users, computers, or domain
controllers, you might notice event ID 16650 in the System log
indicating that the object cannot be created because the directory
service was unable to allocate a relative identifier. Network
connectivity to the RID master might have been lost or the RID master
might have been removed from the network. In any case, you cannot
create new security principal objects on the domain controller until
RID pool acquisition is successful.
Cross-Domain Moves:
Migrating Active Directory objects from one domain to another requires
the availability of the RID master. You can only move an object out of
its domain if the domain’s RID master can be contacted. Requiring that
objects be moved from one domain to another by using the RID master
prevents Active Directory from creating two objects in different
domains with the same unique identifier. This might happen if one
object is moved from two domain controllers simultaneously to two
different domains.
You can use the Active Directory Migration Tool (ADMT) to perform
intraforest migrations of domain objects from one domain (the source
domain) to another (the target domain). The RID master must be online
and available in the source domain for ADMT to migrate successfully.
If the RID master is unavailable, cross-domain migration of Active
Directory objects will fail.
RID Attributes in Active Directory:
The following are RID-related attributes in Windows Server 2003 Active
Directory:
FsmoRoleOwner :
DN path: CN=RID Manager$,CN=System,DC=<domain>,DC=com
This attribute points to the Domain Name path for the current RID
master’s NTDS Settings object according to the domain controller that
is being queried.
RidAvailablePool :
DN path: CN=RID Manager$,CN=System,DC=<domain>,DC=com
This attribute defines the global RID space from which RID pools are
allocated to the RID master.
RidAllocationPool :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
Each domain controller has two RID pools: the one that they are
currently allocating from, and the pool that they will use next. This
attribute defines the RID pool that will be used in the domain when
the current RID pool is exhausted.
RidNextRid :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
This attribute defines the next free RID in the current allocation
pool that is assigned to the next security principal created on the
local domain controller. RidNextRid is a non-replicated value in
Active Directory.
RidPreviousAllocationPool :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
This attribute defines the RID pool from which the RID master actually
allocates from. The value for RidNextRid is implicitly a member of
this pool.
RidUsedPool :
DN Path: CN=Rid Set,CN=<computername>,OU=domain
controllers,DC=<domain>,DC=com
This attributed defines the RID pools that have been used by a domain
controller.
NextRid :
DN Path: DC=<domain>,DC=com
This attribute defines the next RID field used by the RID master.
Reply all
Reply to author
Forward
0 new messages