管理 RID 發行Managing RID Issuance

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題以 RID FSMO 主角,包括發行新及監視功能 RID 主機,以及如何分析及疑難排解 RID 發行解釋變更。This topic explains the change to the RID master FSMO role, including the new issuance and monitoring functionality in the RID master and how to analyze and troubleshoot RID issuance.

更多的資訊可在AskDS 部落格More information is available at the AskDS Blog.

管理 RID 發行Managing RID Issuance

根據預設,網域容量大約億安全性原則,例如使用者、 群組和電腦的。By default, a domain has capacity for roughly one billion security principals, such as users, groups, and computers. 當然,不是網域的許多主動使用物件。Naturally, there are no domains with that many actively used objects. 不過,Microsoft 客戶支援發現案例位置:However, Microsoft Customer Support has found cases where:

  • 提供的軟體或不小心大量管理指令碼建立的使用者、 群組和電腦。Provisioning software or administrative scripts accidentally bulk created users, groups, and computers.

  • 許多未使用的安全性和 distribution 群組所建立的使用者委派Many unused security and distribution groups were created by delegated users

  • 許多網域控制站已降級還原,或中繼資料已清除Many domain controllers were demoted, restored, or metadata cleaned

  • 復原森林屬於執行Forest recoveries were performed

  • InvalidateRidPool 操作經常執行The InvalidateRidPool operation was performed frequently

  • 移除封鎖大小登錄值是正確增加The RID Block Size registry value was increased incorrectly

所有的這些情形使用向上 Rid 必要經常誤。All of these situations use up RIDs unnecessarily, often by mistake. 許多年來,在 Rid 退出的幾個環境,這被迫它們移轉到新的網域或執行樹系復原。Over many years, a few environments ran out of RIDs and this forced them to migrate to a new domain or perform forest recoveries.

Windows Server 2012 位址有只會發生問題的 Active Directory 無所不在年齡與 RID 配置的問題。Windows Server 2012 addresses issues with RID allocation that have only become problematic with the age and ubiquity of Active Directory. 其中包括更好的事件登入,更適當限制,以及的能力來-緊急位在連整體網域的全域 RID 空間的大小。These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain.

定期消耗警告Periodic Consumption Warnings

Windows Server 2012 中新增追蹤的全域 RID 空間事件交叉主要里程碑時,提供早期警告。Windows Server 2012 adds global RID space event tracking that provides early warning when major milestones are crossed. 型號計算 10%標記使用中的全域集區與登達到事件。The model computes the ten (10) percent used mark in the global pool and logs an event when reached. 計算剩餘的可用的下一步 10%,然後繼續事件循環。Then it computes the next ten percent used of the remaining and the event cycle continues. 在全球 RID 空間耗盡時,為 10%點擊降低集區中的更快速地加速的事件會 (但事件登入抑制會防止每小時多個項目)。As the global RID space is exhausted, events will accelerate as ten percent hits faster in a decreasing pool (but event log dampening will prevent more than one entry per hour). 每個網域控制站系統事件登入寫入 Directory-服務-坡警告事件 16658。The System event log on every domain controller writes Directory-Services-SAM warning event 16658.

假設預設 30 位元全球 RID 空間,請先事件登配置包含 107,374,182 集區時二個RID。Assuming a default 30-bit global RID space, the first event logs when allocating the pool containing the 107,374,182nd RID. 事件速率加速自然檢查 100000 的最後一個點之前的總 110 事件。The event rate accelerates naturally until the last checkpoint of 100,000, with 110 events generated in total. 行為會類似解除鎖定 31 元全球 RID 空間: 開頭 214,748,365 和 117 活動中完成。The behavior is similar for an unlocked 31-bit global RID space: starting at 214,748,365 and completing in 117 events.


未如預期般事件這個;調查使用者、 電腦及群組立即網域中的建立程序。This event is not expected; investigate the user, computer, and group creation processes immediately in the domain. 建立多個 100 萬 AD DS 物件是非常不正常。Creating more than 100 million AD DS objects is quite out of the ordinary.

RID 的發行

移除集區無效事件RID Pool Invalidation Events

有新事件警示已捨棄 [本機俠移除集區。There are new event alerts that a local DC RID pool was discarded. 這些的資訊,可能會如預期般,尤其是因為 VDC 的新功能。These are Informational and could be expected, especially due to the new VDC functionality. 事件上看到下列事件清單的詳細資訊。See the event list below for details on the event.

清除 [封鎖大小限制RID Block Size Limit

一般而言,網域控制站要求的 500 Rid 區塊 RID 配置一次。Ordinarily, a domain controller requests RID allocations in blocks of 500 RIDs at one time. 您可以覆寫預設的網域控制站使用下列登錄呼叫完成值:You can override this default using the following registry REG_DWORD value on a domain controller:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values  
RID Block Size  

Windows Server 2012 時前, 時發生不登錄金鑰,除了隱含 DWORD 最大值 (此為 0xffffffff 或 4294967295) 中執行的最大值。Prior to Windows Server 2012, there was no maximum value enforced in that registry key, except the implicit DWORD maximum (which has a value of 0xffffffff or 4294967295). 這個值是相當大於總全球 RID 空間。This value is considerably larger than the total global RID space. 系統管理員有時不當不小心設定或清除 [封鎖大小具有耗盡那速率全球 RID 的值。Administrators sometimes inappropriately or accidentally configured RID Block Size with values that exhausted the global RID at a massive rate.

在 Windows Server 2012,您無法設定此登錄值高於 15000 小數點 (十六進位 0x3A98)。In Windows Server 2012, you cannot set this registry value higher than 15,000 decimal (0x3A98 hexadecimal). 如此可防止那意外的 RID 配置。This prevents massive unintended RID allocation.

如果您將值設定15000,比值會被視為 15000 和網域控制站登入事件 16653 Directory 服務事件登入,直到修正值每個重新開機。If you set the value higher than 15,000, the value is treated as 15,000 and the domain controller logs event 16653 in the Directory Services event log at every reboot until the value is corrected.

解除鎖定全球 RID 空間的大小Global RID Space Size Unlock

Windows Server 2012 時前的全球 RID 空間限於 230 (或 1073741823) 總 Rid。Prior to Windows Server 2012, the global RID space was limited to 230 (or 1,073,741,823) total RIDs. 之後,只有網域移轉或樹系復原到較舊的時間範圍允許任何測量 Sid 建立-復原嚴重損壞。Once reached, only a domain migration or forest recovery to an older timeframe allowed new SIDs creation - disaster recovery, by any measure. 開始在 Windows Server 2012,2]31為了提高 2147483648 Rid 全球集區元可以解除鎖定。Starting in Windows Server 2012, the 231 bit can be unlocked in order to increase the global pool to 2,147,483,648 RIDs.

AD DS 將此設定儲存在特殊隱藏屬性名為SidCompatibilityVersion上的所有網域控制站進行 RootDSE 操作。AD DS stores this setting in a special hidden attribute named SidCompatibilityVersion on the RootDSE context of all domain controllers. 此屬性不可讀取使用 ADSIEdit、 LDP 或其他工具。This attribute is not readable using ADSIEdit, LDP, or other tools. 增加中的全域 RID 空間,請檢查 Directory-服務-坡從警告事件 16655 系統事件登入或使用下列命令 Dcdiag:To see an increase in the global RID space, examine the System event log for warning event 16655 from Directory-Services-SAM or use the following Dcdiag command:

Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"  

如果增加全球 RID 集區,而不是預設 1,073,741,823 2147483647 會變更提供集區。If you increase the global RID pool, the available pool will change to 2,147,483,647 instead of the default 1,073,741,823. 例如:For example:

RID 的發行


是此解除鎖定以避免 RID 用盡是使用移除頂執法搭配 (查看下一節)。This unlock is intended only to prevent running out of RIDS and is to be used only in conjunction with RID Ceiling Enforcement (see next section). 不 」 主動 」 設定此環境中數以百萬計的剩餘 Rid 和低成長,當應用程式的相容性問題可能會有產生解除鎖定 RID 集區的 Sid。Do not "preemptively" set this in environments that have millions of remaining RIDs and low growth, as application compatibility issues potentially exist with SIDs generated from the unlocked RID pool.

這解除鎖定作業無法還原或移除,除非完整的樹系復原到先前的備份。This unlock operation cannot be reverted or removed, except by a complete forest recovery to earlier backups.

重要事項需要注意Important Caveats

Windows Server 2003 及 Windows Server 2008 網域控制站無法發出 Rid 全球 RID 集區 31時間元已解除鎖定。Windows Server 2003 and Windows Server 2008 Domain Controllers cannot issue RIDs when the global RID pool 31st bit is unlocked. Windows Server 2008 R2 網域控制站可以使用 31時間位元 Rid ,但是只要他們使用的是 hotfix KB 2642658安裝。Windows Server 2008 R2 domain controllers can use 31st bit RIDs but only if they have hotfix KB 2642658 installed. 不支援和未網域控制站在用完時,將全球 RID 集區。Unsupported and unpatched domain controllers treat the global RID pool as exhausted when unlocked.

這項功能會不執行任何網域正常運作的層級。小心謹慎只有 Windows Server 2012 或更新的 Windows Server 2008 R2 網域控制站存在網域中。This feature is not enforced by any domain functional level; take great care that only Windows Server 2012 or updated Windows Server 2008 R2 domain controllers exist in the domain.

實作解除鎖定的全域清除空間Implementing Unlocked Global RID space

若要解除鎖定 31 RID 集區時間之後接收 RID 頂警示 (如下所示) 元執行下列步驟:To unlock the RID pool to the 31st bit after receiving the RID ceiling alert (see below) perform the following steps:

  1. 最好的角色執行 Windows Server 2012 網域控制站移除主機。Ensure that the RID Master role is running on a Windows Server 2012 domain controller. 如果不行,Windows Server 2012 」 的網域控制站傳輸。If not, transfer it to a Windows Server 2012 domain controller.

  2. 執行 LDP.exeRun LDP.exe

  3. 按一下連接功能表和連接的 Windows Server 2012 移除主機上 389 連接埠,然後按一下 [繫結網域系統管理員。Click the Connection menu and click Connect for the Windows Server 2012 RID Master on port 389, and then click Bind as a domain administrator.

  4. 按一下瀏覽]功能表和修改]Click the Browse menu and click Modify.

  5. 確認DN是空白的。Ensure that DN is blank.

  6. 編輯項目屬性,輸入:In Edit Entry Attribute, type:

  7. ,輸入:In Values, type:

  8. 確認新增中選取作業,按一下 [輸入Ensure that Add is selected in Operation and click Enter. 此更新的項目清單This updates the Entry List.

  9. 選取 [同步延伸然後按一下 [選項]執行Select the Synchronous and Extended options, then click Run.

    RID 的發行

  10. 如果成功,LDP 輸出視窗中所示:If successful, the LDP output window shows:

    ***Call Modify...  
     ldap_modify_ext_s(Id, '(null)',[1] attrs, SvrCtrls, ClntCtrls);  
    modified "".  

    RID 的發行

  11. 請確認增加了系統事件登入資訊 Directory-服務-坡事件 16655 網域控制站的全域 RID 集區。Confirm the global RID pool increased by examining the System Event Log on that domain controller for Directory-Services-SAM Informational event 16655.

移除頂執法RID Ceiling Enforcement

保護的負擔得起和提高權限管理的感知、 Windows Server 2012 導入人造的最高的全域 RID 範圍 10%剩餘 Rid 中的全域空間。To afford a measure of protection and elevate administrative awareness, Windows Server 2012 introduces an artificial ceiling on the global RID range at ten (10) percent remaining RIDs in the global space. 在一 (1) %的人造上限中, 要求 RID 集區的網域控制站寫入 Directory-服務-坡警告事件 16656 他們系統事件登入。When within one (1) percent of the artificial ceiling, domain controllers requesting RID pools write Directory-Services-SAM warning event 16656 to their System event log. 當達到上限移除主機 FSMO 10%,它 Directory-服務-坡事件 16657 寫入其系統事件登入,並將配置進一步 RID 集區之前覆寫上限。When reaching the ten percent ceiling on the RID Master FSMO, it writes Directory-Services-SAM event 16657 to its System event log and will not allocate any further RID pools until overriding the ceiling. 這會強迫您評估 RID 主機網域中的狀態和地址潛在失控 RID 配置。這也會從耗盡整個 RID 空間保護網域。This forces you to assess the state of the RID master in the domain and address potential runaway RID allocation; this also protects domains from exhausting the entire RID space.

此上限是固定,10%剩餘的可用空間 RID。This ceiling is hard-coded at ten percent remaining of the available RID space. 是的頂啟動當 RID 主機配置包含相對應的全域 RID 空間 90 (90) %RID 集區。That is, the ceiling activates when the RID master allocates a pool that includes the RID corresponding to ninety (90) percent of the global RID space.

  • 網域預設,第一個點觸發程序為 230-1 * 0.90 = 966,367,640 (或 107,374,183 Rid 剩餘)。For default domains, the first trigger point is 230-1 * 0.90 = 966,367,640 (or 107,374,183 RIDs remaining).

  • 觸發程序點是 2 解除鎖定的位元 31 RID 空間的網域中,31-1 * 0.90 = 1,932,735,282 Rid (或 214,748,365 Rid 剩餘)。For domains with an unlocked 31-bit RID space, the trigger point is 231-1 * 0.90 = 1,932,735,282 RIDs (or 214,748,365 RIDs remaining).

RID 主機觸發時,將 Active Directory 屬性設定msDS-RIDPoolAllocationEnabled (通用名稱ms-DS-RID-Pool-Allocation-Enabled) 為物件 FALSE:When triggered, the RID master sets Active Directory attribute msDS-RIDPoolAllocationEnabled (common name ms-DS-RID-Pool-Allocation-Enabled) to FALSE on the object:

DATA-CN = RID 管理員 $DATA-CN = 系統特區 =CN=RID Manager$,CN=System,DC=

這將 16657 事件並將無法使用所有網域控制站 RID 封鎖發行。This writes the 16657 event and prevents further RID block issuance to all domain controllers. 網域控制站繼續消耗發出它們未執行任何 RID 集區。Domain controllers continue to consume any outstanding RID pools already issued to them.

移除區塊允許 RID 集區配置,才能繼續,該將值設定為 TRUE。To remove the block and allow RID pool allocation to continue, set that value to TRUE. 在 RID 主機所執行的下一步 RID 配置,屬性將無法設定的值為預設值。On the next RID allocation performed by the RID master, the attribute will return to its default NOT SET value. 之後,有不進一步天花板,最後的全域 RID 空間耗盡,需要修復或網域移轉的樹系。After that, there are no further ceilings and eventually, the global RID space runs out, requiring forest recovery or domain migration.

移除頂封鎖Removing the Ceiling Block

若要移除一次到達人造頂封鎖,請執行下列步驟:To remove the block once reaching the artificial ceiling, perform the following steps:

  1. 最好的角色執行 Windows Server 2012 網域控制站移除主機。Ensure that the RID Master role is running on a Windows Server 2012 domain controller. 如果不行,Windows Server 2012 」 的網域控制站傳輸。If not, transfer it to a Windows Server 2012 domain controller.

  2. 執行 LDP.exe。Run LDP.exe.

  3. 按一下連接功能表和連接的 Windows Server 2012 移除主機上 389 連接埠,然後按一下 [繫結網域系統管理員。Click the Connection menu and click Connect for the Windows Server 2012 RID Master on port 389, and then click Bind as a domain administrator.

  4. 按一下檢視功能表和,然後為基本 DN選取 [移除主機的自己網域命名操作。Click the View menu and click Tree, then for the Base DN select the RID Master's own domain naming context. 按一下[確定]Click Ok.

  5. 瀏覽窗格中深入DATA-CN = 系統容器和DATA-CN = RID 管理員 $物件。In the navigation pane, drill down into the CN=System container and click the CN=RID Manager$ object. 以滑鼠右鍵按一下,按修改]Right click it and click Modify.

  6. 在 [編輯項目屬性,請輸入:In Edit Entry Attribute, type:

  7. ,輸入 (中大寫):In Values, type (in upper case):

  8. 選取取代作業並按輸入Select Replace in Operation and click Enter. 此更新的項目清單This updates the Entry List.

  9. 同步延伸然後按一下 [選項]執行:Enable the Synchronous and Extended options, then click Run:

    RID 的發行

  10. 如果成功,LDP 輸出視窗中所示:If successful, the LDP output window shows:

    ***Call Modify...  
    ldap_modify_ext_s(ld, 'CN=RID Manager$,CN=System,DC=<domain>',[1] attrs, SvrCtrls, ClntCtrls);  
    Modified "CN=RID Manager$,CN=System,DC=<domain>".  

    RID 的發行

其他 RID 修正Other RID Fixes

先前的 Windows Server 作業系統必須遺漏時 RID 集區遺失 rIDSetReferences 屬性。Previous Windows Server operating systems had a RID pool leak when missing rIDSetReferences attribute. 這個問題上執行 Windows Server 2008 R2 網域控制站,hotfix 從KB 2618669To resolve this problem on domain controllers that run Windows Server 2008 R2, install the hotfix from KB 2618669.

RID 未修正的問題Unfixed RID Issues

在過去有 RID 遺漏 account 建立失敗。建立帳號,失敗仍然會使用 RID 上。There has historically been a RID leak on account creation failure; when creating an account, failure still uses up a RID. 常見的範例是建立的使用者使用密碼不符合複雜。The common example is to create a user with a password that does not meet complexity.

修正移除較舊版本的 Windows Server 的RID Fixes for earlier versions of Windows Server

所有的修正與上述變更已推出的 Windows Server 2008 R2 hotfix。All of the fixes and changes above have Windows Server 2008 R2 hotfixes released. 目前有不 Windows Server 2008 hotfix 計劃,或在進行中。There are currently no Windows Server 2008 hotfixes planned or in progress.

疑難排解 RID 發行Troubleshooting RID Issuance

疑難排解簡介Introduction to Troubleshooting

疑難排解 RID 的發行需要邏輯和線性的方法。RID issuance troubleshooting requires a logical and linear method. 監視您的事件登仔細的 RID 觸發警告和錯誤,除非您第一次訊息的問題,包括很可能會失敗的 account 作品。Unless you are monitoring your event logs carefully for RID-triggered warnings and errors, your first indications of a problem are likely to be failed account creations. 疑難排解 RID 發行的關鍵在於以了解當症狀會如預期般或許多 RID 發行問題可能會影響只有一個網域控制站和無關元件的改進。The key to troubleshooting RID issuance is to understand when the symptom is expected or not; many RID issuance issues may affect only one domain controller and have nothing to do with component improvements. 下列此簡單圖表協助做出那些更清楚:This simple diagram below helps make those decisions more clear:

RID 的發行

疑難排解選項Troubleshooting Options

登入選項Logging Options

所有登入 RID 發行,就會發生系統事件登入,在來源 Directory-服務-坡中。All logging in RID issuance occurs in the System Event log, under source Directory-Services-SAM. 登入是支援和最大的詳細資訊,預設設定。Logging is enabled and configured for maximum verbosity, by default. 如果任何項目針對 Windows Server 2012 中的新元件變更登不入,問題視為 (亦舊版、 前 Windows Server 2012) 的傳統 Windows 2008 R2 或較舊的作業系統中看到 RID 發行的問題。If no entries are logged for the new component changes in Windows Server 2012, treat the issue as a classic (aka legacy, pre-Windows Server 2012) RID issuance problem seen in Windows 2008 R2 or older operating systems.

公用程式 」 和 「 疑難排解的命令Utilities and Commands for Troubleshooting

如果要不解釋上述登-問題的疑難排解尤其是較舊的 RID 發行問題-使用的起點工具下列清單:To troubleshoot issues not explained by the aforementioned logs - especially older RID issuance issues - use the following list of tools as a starting point:

  • Dcdiag.exeDcdiag.exe

  • Repadmin.exeRepadmin.exe

  • 網路監視器 3.4Network Monitor 3.4

一般的網域控制站設定進行疑難排解的方法General Methodology for Troubleshooting Domain Controller Configuration

  1. 錯誤造成簡單的權限] 或 [網域控制站可用性問題嗎?Is the error caused by a simple permissions or domain controller availability issue?

    1. 您想要建立安全性主體不必要的權限嗎?Are you trying to create a security principal without the necessary permissions? 檢查拒絕錯誤存取的輸出。Examine the output for access denied errors.

    2. 已網域控制站嗎?Is a domain controller available? 檢查傳回的錯誤或 LDAP 網域控制站可用性訊息。Examine the returned error or LDAP or domain controller availability messages.

  2. 尤其是傳回錯誤是否連接 Rid,達到特定作為指導方針和?Does the error returned specifically mention RIDs, and is specific enough to use as guidance? 若是如此,請依照下列指導方針。If so, follow the guidance.

  3. 尤其是傳回錯誤是否連接 Rid,但其他非特定?Does the error returned specifically mention RIDs but is otherwise non-specific? 例如,「 Windows 無法建立物件因為 Directory 服務無法配置相關的 id。 」For example, "Windows cannot create the object because the Directory Service was unable to allocate a relative identifier."

    1. 請檢查 「 傳統 」 (前 Windows Server 2012) 的網域控制站系統事件登入 RID 的事件詳細在移除集區要求(16642 16643、 16644、 16645、 16656)。Examine the System Event log on the domain controller for "legacy" (pre-Windows Server 2012) RID events detailed in RID Pool Request (16642, 16643, 16644, 16645, 16656).

    2. 檢查系統事件網域控制站和新封鎖指出事件下述 16655、 16656 (16657) 本主題中移除主機。Examine the System Event on the domain controller and the RID Master for new block-indicating events detailed below in this topic (16655, 16656, 16657).

    3. Active Directory 複寫健康驗證 Repadmin.exe 和移除主機的可用性使用Dcdiag.exe /test:ridmanager /vValidate Active Directory replication health with Repadmin.exe and RID Master availability with Dcdiag.exe /test:ridmanager /v. 如果這些測試結果不明可讓雙面網路擷取之間的網域控制站與移除主機。Enable double-sided network captures between the domain controller and the RID Master if these tests are inconclusive.

特定的問題進行疑難排解Troubleshooting Specific Problems

下列新訊息登入 Windows Server 2012 網域控制站系統事件登入。The following new messages log in the System event log on Windows Server 2012 domain controllers. 自動的 AD 健康追蹤系統,例如 System Center Operations Manager,應該監視這些事件。所有值得注意,且部分是指示器的網域重大問題。Automated AD health tracking systems, such as System Center Operations Manager, should monitor for these events; all are notable, and some are indicators of critical domain issues.

事件編號Event ID 1665316653
來源Source 薩姆-directory-服務Directory-Services-SAM
嚴重性Severity 警告Warning
訊息Message 集區大小 account 識別碼 (Rid) 是由系統管理員的身分設定大於支援的最大值。A pool size for account-identifiers (RIDs) that was configured by an Administrator is greater than the supported maximum. 網域控制站 RID 主機時,將會使用 %1 的最大值。The maximum value of %1 will be used when the domain controller is the RID master.

如需詳細資訊,請查看排除封鎖大小限制For more information, see RID Block Size Limit.
筆記與解析度Notes and resolution 關閉封鎖大小的最大值現在已 15000 小數點 (十六進位 3A98)。The maximum value for the RID Block Size is now 15000 decimal (3A98 hexadecimal). 網域控制站無法要求超過 15000 Rid。A domain controller cannot request more than 15,000 RIDs. 每次開機值設定為下列這個最大值或時,才此事件登。This event logs at every boot until the value is set to a value at or below this maximum.
事件編號Event ID 1665416654
來源Source 薩姆-directory-服務Directory-Services-SAM
嚴重性Severity 資訊Informational
訊息Message 已無效 account 識別碼 (Rid) 的集區。A pool of account-identifiers (RIDs) has been invalidated. 這可能是因為預期如下:This may occur in the following expected cases:

1.網域控制站是從備份還原。1. A domain controller is restored from backup.

2.網域控制站執行一樣會還原的快照。2. A domain controller running on a virtual machine is restored from snapshot.

3.系統管理員的身分,以手動方式有失效集區。3. An administrator has manually invalidated the pool.

查看 https://go.microsoft.com/fwlink/?LinkId=226247 如需詳細資訊。See https://go.microsoft.com/fwlink/?LinkId=226247 for more information.
筆記與解析度Notes and resolution 如果這個活動是預期,請連絡所有網域系統管理員,並判斷其中執行動作。If this event is unexpected, contact all domain administrators and determine which of them performed the action. Directory 服務事件登入也包含進一步資訊上執行下列步驟進行時。The Directory Services event log also contains further information on when one of these steps was performed.
事件編號Event ID 1665516655
來源Source 薩姆-directory-服務Directory-Services-SAM
嚴重性Severity 資訊Informational
訊息Message 已 %1 增加 account 識別碼 (Rid) 的全球最大值。The global maximum for account-identifiers (RIDs) has been increased to %1.
筆記與解析度Notes and resolution 如果這個活動是預期,請連絡所有網域系統管理員,並判斷其中執行動作。If this event is unexpected, contact all domain administrators and determine which of them performed the action. 這個事件筆記整體 RID 增加集區大小預設為 2 超過30,將不會自動; 以及只要管理動作。This event notes the increase of the overall RID pool size beyond the default of 230and will not happen automatically; only by administrative action.
事件編號Event ID 1665616656
來源Source 薩姆-directory-服務Directory-Services-SAM
嚴重性Severity 警告Warning
訊息Message 已 %1 增加 account 識別碼 (Rid) 的全球最大值。The global maximum for account-identifiers (RIDs) has been increased to %1.
筆記與解析度Notes and resolution 儘速 !Action required! 這個網域控制站配置識別碼 account (RID) 集區。An account-identifier (RID) pool was allocated to this domain controller. 集區表示這個網域耗用總提供 account 識別碼相當。The pool value indicates this domain has consumed a considerable portion of the total available account-identifiers.

將啟動保護機制時網域到達的總提供 account-識別碼剩餘下列臨界值,: 1%。A protection mechanism will be activated when the domain reaches the following threshold of total available account-identifiers remaining: %1. 保護機制會阻止 account 建立,直到您以手動方式重新讓 RID 主要網域控制站 account 識別碼配置。The protection mechanism will prevent account creation until you manually re-enable account-identifier allocation on the RID master domain controller.

查看 https://go.microsoft.com/fwlink/?LinkId=228610 如需詳細資訊。See https://go.microsoft.com/fwlink/?LinkId=228610 for more information.
事件編號Event ID 1665716657
來源Source 薩姆-directory-服務Directory-Services-SAM
嚴重性Severity 錯誤Error
訊息Message 儘速 !Action required! 這個網域耗用相當總提供 account-識別碼 (Rid)。This domain has consumed a considerable portion of the total available account-identifiers (RIDs). 因為總提供 account-識別字的剩餘已經啟動保護機制小於: X %[人造頂引數]。A protection mechanism has been activated because the total available account-identifiers remaining is less than: X% [artificial ceiling argument].

保護機制,可避免 account 建立,直到您以手動方式重新讓 RID 主要網域控制站 account 識別碼配置。The protection mechanism prevents account creation until you manually re-enable account-identifier allocation on the RID master domain controller.

請務必非常執行特定診斷是以之前重新讓 account 建立確保這個網域並未消耗高不正常速度 account 識別項。It is extremely important that certain diagnostics are performed prior to re-enabling account creation to ensure this domain is not consuming account-identifiers at an abnormally high rate. 應該解析之前重新讓 account 建立任何辨識的問題。Any issues identified should be resolved prior to re-enabling account creation.

Account 識別碼耗盡之後 account 建立會永久停用這個網域中的網域中可能會導致診斷及修正 account 識別碼消耗高不正常率任何基礎問題失敗。Failure to diagnose and fix any underlying issue causing an abnormally high rate of account-identifier consumption can lead to account-identifier exhaustion in the domain after which account creation will be permanently disabled in this domain.

查看 https://go.microsoft.com/fwlink/?LinkId=228610 如需詳細資訊。See https://go.microsoft.com/fwlink/?LinkId=228610 for more information.
筆記與解析度Notes and resolution 請連絡所有網域系統管理員,通知,建立在這個網域中的任何進一步的安全性原則直到此保護會覆寫。Contact all domain administrators and inform them that no further security principals can be created in this domain until this protection is overridden. 如需詳細資訊,了解如何保護會覆寫和可能增加整體 RID 集區,查看全球清除空間大小解除鎖定For more information about how to override the protection and possibly increase the overall RID pool, see Global RID Space Size Unlock.
事件編號Event ID 1665816658
來源Source 薩姆-directory-服務Directory-Services-SAM
嚴重性Severity 警告Warning
訊息Message 這個活動是剩餘的可用 account 識別碼 (Rid) 總數量定期更新。This event is a periodic update on the remaining total quantity of available account-identifiers (RIDs). 剩餘的 account 識別碼數目大約是: 1%。The number of remaining account-identifiers is approximately: %1.

Account-識別碼建立帳號,耗盡,可能網域中建立任何新帳號時使用。Account-identifiers are used as accounts are created, when they are exhausted no new accounts may be created in the domain.

查看 https://go.microsoft.com/fwlink/?LinkId=228745 如需詳細資訊。See https://go.microsoft.com/fwlink/?LinkId=228745 for more information.
筆記與解析度Notes and resolution 請連絡所有網域系統管理員,通知,RID 消耗有交叉重要里程碑。如果這是您預期的行為,或不是藉由檢視安全性信任建立模式判斷。Contact all domain administrators and inform them that RID consumption has crossed a major milestone; determine if this is expected behavior or not by reviewing security trustee creation patterns. 得更容易看到這個活動是常見,因為這表示該至少 ~ 100 萬 RID 有尚未配置。To ever see this event would be highly unusual, as it means that at least ~100 million RIDS have been allocated.

也了See Also

Windows Server 2012 中管理 RID 發行Managing RID Issuance in Windows Server 2012