AD 林恢复-使当前 RID 池失效AD Forest Recovery - Invalidating the current RID pool

适用于: Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

使用以下过程向我们的 Windows PowerShell 使域控制器上的当前 RID 池失效。Use the following procedure to us Windows PowerShell to invalidate the current RID pool on a domain controller. 默认情况下,windows PowerShell 在 Windows Server 2012 和 Windows Server 2008 R2 上处于启用状态,但 windows Server 2008 却不能通过使用 " 添加功能 " 安装。Windows PowerShell is enabled by default on Windows Server 2012 and Windows Server 2008 R2, but not Windows Server 2008 where it must be installed by using Add Features . 可以将其 下载 到在 Windows Server 2003 上运行。It can be downloaded to run on Windows Server 2003.

若要验证命令是否已成功完成,请检查事件 ID 16654 (源是否) Windows Server 2012 中事件查看器的系统日志中。To verify the command completed successfully, check for event ID 16654 (source is Directory-Services-SAM) in the System log in Event Viewer in Windows Server 2012. Windows 的早期版本不会记录此事件。Earlier versions of Windows do not log this event.


使 RID 池无效后,在第一次尝试创建安全主体 (用户、计算机或组) 时,会收到错误。After you invalidate the RID pool, you will receive an error when you first attempt to create security principal (user, computer, or group). 尝试创建对象会触发对新 RID 池的请求。The attempt to create an object triggers a request for a new RID pool. 重试操作成功,因为将分配新的 RID 池。Retry of the operation succeeds because the new RID pool will be allocated.

使当前 RID 池无效To invalidate the current RID pool

  • 打开提升的 Windows PowerShell 会话,运行以下命令并按 ENTER:Open an elevated Windows PowerShell session, run the following command and press ENTER:

    $Domain = New-Object System.DirectoryServices.DirectoryEntry
    $DomainSid = $Domain.objectSid
    $RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
    $RootDSE.UsePropertyCache = $false
    $RootDSE.Put("invalidateRidPool", $DomainSid.Value)

后续步骤Next Steps