Follow me and learn Windows Server 2012 – Relative ID (RID) Improvements

Hi, it is Bruce again!  With the release Windows Server 2012 we all have to start learning the new features of the product.    So tonight I am studying about RID improvements.  Below are some resources to bring you to speed at the same time.    

These improvements have been needed for quite some time. We now finally have a way to handle RID Pool exhaustion. Some cool things we added:

  • Alert when you start to run out of RID
  • A soft ceiling to allow the administration to take action before they run out
  • Double the number of RID available

Relative ID (RID) Improvements

The following RID improvements in Windows Server 2012 provide greater ability to react to any potential exhaustion of the global RID pool space:

  • Periodic RID consumption warning
    • At 10% of remaining global space, system logs informational event
      • First event at 100,000,000 RIDs used, second event logged at 10% of remainder
        • Remainder = 900,000,000
        • 10% of remainder = 90,000,000
      • Second event logged at 190,000,000
        • Existing RID consumption plus 10% of remainder
    • Events become more frequent as the global space is further depleted
  • RID Manager artificial ceiling protection mechanism
    • A soft ceiling that is 90% of the global RID space and is not configurable
    • The soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued
    • Blocks further allocations of RID pools
      • When the ceiling is reached, system sets msDS-RIDPoolAllocationEnabled attribute of the RID Manager$ object to FALSE. An administrator must set it back to TRUE to override.
    • Log an event indicating that the ceiling is reached
      • An initial warning is logged when the global RID spaces reaches 80%
    • The attribute can only be set to FALSE by the SYSTEM and is mastered by the RID master (for example, write it against the RID master)
      • Domain Admin can set it back to TRUE

Note: It is set to TRUE by default

  • Increased the global RID space per domain, doubling the number of security principals that can be created throughout the lifetime of a domain from 1 billion to 2 billion.

Managing RID Issuance

New features in Active Directory Domain Services in Windows Server 2012, Part 14: RID improvements