Event ID 16644 — RID Pool Request
Applies To: Windows Server 2008
Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID.
Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.
|Product:||Windows Operating System|
|Message:||The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain.|
Create a new domain
The Security Accounts Manager (SAM) cannot create additional accounts in this domain because all available relative IDs (RIDs) are used.
You can create a new domain in the existing forest to create new accounts. The new domain can be either a new domain tree or a child domain. If you have a large number of deleted accounts, you may choose to migrate all accounts to the new domain.
For instructions for creating a new domain, see Steps for Installing AD DS (http://go.microsoft.com/fwlink/?LinkId=109265).
For more information on this issue, see Microsoft Knowledge Base article 316201 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;316201).
When the relative ID (RID) operations master successfully allocates a RID pool (a set of unique identification numbers) to a domain controller, the domain controller logs Event ID 16648 to Event Viewer. You can also use the dcdiag command to verify the RID master has properly assigned a RID pool to a domain controller. To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. To confirm a RID pool assignment to a domain controller
- Open a Command Prompt as an administrator on a domain controller in the domain you want to check. To do so, click Start. In Start Search, type Command Prompt, then right click Command Prompt from the Start Menu and select Run as administrator.
- Run the command **dcdiag /test:ridmanager /v /f:%userprofile%\desktop\**DCname_RIDpool.txt /s:DCname and press ENTER; substitute the name of the domain controller you want to test for each DCname in the command. This creates diagnostic files on the Desktop of the current user named for each domain controller tested.
- Open the file with Notepad or another text editor. To open the file with Notepad you can type Notepad %userprofile%\desktop\DCname_RIDpool.txt and press ENTER. If you do not have a text editor installed, you can run the command type %userprofile%\Desktop\DCname_RIDpool.txt |moreto view one screen of information at a time and use the SPACEBAR to advance one screen at a time through the file.
Look at the section of the file that reads “Starting test: RidManager.” If the domain controller received a RID allocation pool, the line that starts with “*rIDAllocationPool” should display a range of numbers; for example, “*rIDAllocationPool is 1100 to 1599.”