Hi,
The max. available RIDs in each AD domain is 1.073.741.823. This is the
upper value of the attribute "rIDAvailablePool" of the object "CN=RID
Manager$,CN=System,DC=PARENT,DC=LAN". This attribute "manages" the blocks of
RIDS that have NOT been assigned to DCs to create security principals. The
"owner" (or in other words: the DC that manages this object) is the DC
mentioned in the attribute "fSMORoleOwner". The object "CN=RID
Manager$,...etc" IS REPLICATED to all DCs in the domain. This is important
for other DCs if you need to transfer/seize the RID FSMO role to another DC.
Imagine if it was not replicated and the original RID FSMO owner was down
and dead. The new RID FSMO owner would never know what blocks of RIDs had
been assigned to other DCs if a seizure was done. There is another way
though, and that is if each block that had been assigned is known to each DC
in the domain. The problem with this is that that is much more data than
just the attribute "rIDAvailablePool" of the object mentioned earlier.
Below each DC object (CN=W2K3R2SRVTRL01,OU=Domain
Controllers,DC=PARENT,DC=LAN) there exist another object "CN=RID
Set,CN=W2K3R2SRVTRL01,OU=Domain Controllers,DC=PARENT,DC=LAN". This object
stores the info about the RID blocks that have been assigned to each DC. The
attribute "rIDPreviousAllocationPool" (e.g. 15483357105186 -> upper value is
3605 and lower value is 3106) is the block of RIDs a DC is currently using
for the creation of sec. princ. and IS NOT REPLICATED to other DCs. The
attribute "rIDAllocationPool" (e.g. 17630840753686 -> upper value is 4105
and lower value is 3606) is the block of RIDs the DC will use next when the
first block has been consumed and IS REPLICATED to other DCs. You might see
that both attributes have the same value. When block of RIDs
(rIDPreviousAllocationPool) is consumed for 50% the DC will ask another
block and stores that in "rIDAllocationPool". When it is consumed for 100%
the "rIDPreviousAllocationPool" gets the value of "rIDAllocationPool". The
values are the same again and will differ when the current used block is
consumed for 50%.
You might think that the attribute "rIDNextRID" is the attribute that says
which next RID will be consumed. You thought wrong as this is the LAST
consumed RID by the DC.
OK, I agree MS chose some strange names for the attributes. In my opinion
they should have been called "rIDCurrentAllocationPool"
"rIDNextAllocationPool" "rIDLastRID", but that is just an opinion!
Have you ever wondered why you first need to target (connect to) the a new
to be FSMO master when transfering, instead of pointing it out? When
transfering a FSMO role you are not saying to the old FSMO "hey give your
FSMO role away", no you are saying (after connecting to the new one) "hey
new one, take ownership of the FSMO role". Under the hood you are triggering
a OPERATIONAL ATTRIBUTE on the new to be FSMO role holder. The OPERATIONAL
ATTRIBUTES that do this are:
* becomeInfrastructureMaster
* becomePdc
* becomeSchemaMaster
* becomeRidMaster
* becomeDomainMaster
With the command "dcdiag /v /test:ridmanager" on a DC you can see the
following:
#########################
Testing server: Default-First-Site-Name\W2K3R2SRVTRL01
Starting test: RidManager
* Available RID Pool for the Domain is 4106 to 1073741823
* w2k3r2srvtrl01.PARENT.LAN is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3606 to 4105
* rIDPreviousAllocationPool is 3106 to 3605
* rIDNextRID: 3358
......................... W2K3R2SRVTRL01 passed test RidManager
#########################
The info is the same as stored in the attributes I mentioned earlier
The only time a DC (as I know of) throughs away its RID blocks is when you
mandate it by writing to the operational attribute called
"invalidateRidPool" or when a DC has been restored. After the DC is restored
it does some special stuff, and one of them is writing to the operational
attribute called "invalidateRidPool" and ask for a new RID block from the
RID FSMO master.
IF the RID FSMO master for some reason is NOT AVAILABLE then the DC asking
for a new RID block will generate event id 16650. For more info on this see
"Event ID 16650: The account-identifier allocator failed to initialize in
Windows 2000 and in Windows Server 2003"
(http://support.microsoft.com/?kbid=839879)
For more info on the RID attributes see "Description of RID Attributes in
Active Directory" (http://support.microsoft.com/?kbid=305475)
I posted some findings earlier, see those also as an example
I hope I have described clearly how this works
Cheers,
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: 6/2/2005 6:57 PM
Subject: RE: [ActiveDir] Error in PDC Operations Master
Something that confuses me in this (and in RID allocation generally) is:
Isn't the RIDavailablePool held by the RID master? Is the value
replicated
among DCs? If it's not, does a DC have to check with the RID master
BEFORE it
increments this value? (I assume that it would, but I am not sure,
especially
if the RID master is not available).
Now, if you do an auth restore on a DC and you ask the DC to increment
RIDAvailablePool, and that DC is NOT the RID master, AND the RID master
is
not available (for any reason), what happens then?
IF the RID master is not avialble and you seize the role, how does the
new
role holder determine the current RIDAvailablePool?
I am guessing that all of the above is moot and RIDAvailablePool is
replicated in real-time among DCs. But ..... if it's not ......
Say DCa is the RID Master and it says that RIDAvailablePool is currently
at
91000. Say DCb is currently given 89001-89500, DCc is given 89501-90000
and
DCd is given 90001-90500. Say a disaster happened and we need to do an
auth
restore, but DCa is not recoverable. We take DCb, seize the role and did
the
restore. Would the RIDAvailablePool (according to DCb) now be equal
90001?
Also, how does an out-of-band increase in RIDAvailablePool affect
RIDPreviousAllocationPool on other DCs in the domain? Do they all now
discard
this pool and ask for a new batch from the new RID guy? Do they also
immediately junk their current RIDAllocationPool and get new ones?
Wish I understand the inner-workings of RID better.
Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Jorge de Almeida
Pinto
Sent: Thu 6/2/2005 7:55 AM
To: [email protected]; 'Send - AD mailing list'
Subject: RE: [ActiveDir] Error in PDC Operations Master
Appologies accepted! No hard feelings! I also used the same environment
to
test the ADMOD -undel option to undelete objects and it did not work
(already mailed Joe about it). However I must mentioned both the RID
thing
and the ADMOD thing were tested on W2K3-R2!
Keeping my earlier statement in mind regarding the need to manually
increase
the availableridpool on the new RID master after the seizure, I'm still
thinking about the value for the manual increase (like some kind of
formula)... Factors/variables that I believe have influence on the size
of
the value:
* Pool of possible requested RIDs -> 500
* Number of DCs in domain or better yet the number of DCs that are used
for
security principal creation (the DCs that use RIDs)
* ....?
If I come up with some formula I will post that on the list
Cheers
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: donderdag 2 juni 2005 16:24
To: 'Send - AD mailing list'
Subject: RE: [ActiveDir] Error in PDC Operations Master
Tested this myself and reached the same conclusion you did. I've since
done
some digging and found a number of references to the 1 million increase,
all
of which were in documents relating to Windows NT5. I assume my memory
has
yet again failed me :) since I can't even find any private up-to-date
material to validate it.
PS - Ironically, I did find a document that I wrote for a seminar just
after
Windows 2000's release where I make a recommendation regarding
increasing
the RID pool following role seizure ... maybe I knew it at one point or
another ... if I did, it probably got replaced by some other piece of
useless information since I believe my brain reached capacity some years
back.
Anyways, my apologies for causing you to waste so much time testing
this, it
seems this was removed quite some time ago :(
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]
Sent: Thursday, June 02, 2005 9:09 AM
To: [email protected]; Send - AD mailing list;
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Error in PDC Operations Master
Hi Dean,
As I mentioned earlier I did not know (never seen it before) about the
automatic increase of the ridavailablepool value with 1 million after
the
rid seizure. I got curious and I built a small environment. I did not
see
the ridpool got increased with 1 million after the seizure. I also got
different results depending on where the NEW rid master is located (SITE
WISE). See below. After the seizure the new RID master increased its
known
pool with 500. Personnally I think that's not enoough... Especially in a
large environment
During the seizure the new to be RID master reports:
>>Searching for highest rid pool in domain
Can you elaborate more on the automatic increase of the availableridpool
attribute and when that happens?
Cheers
#JORGE#
#####################################
DCs: 01, 02, 03
01: site1 -> original rid master
02: site1
03: site2 -> new rid master after seizing
01: rIDAvailablePool: 4611686014132423214
02: rIDAvailablePool: 4611686014132423214
03: rIDAvailablePool: 4611686014132423214
1073741823
2606
01: 3000 users created
01: rIDAvailablePool: 4611686014132426214
02: rIDAvailablePool: 4611686014132426214
1073741823
5606
03:rIDAvailablePool: 4611686014132423214
1073741823
2606
01: down
03: seized rid master
03: rIDAvailablePool: 4611686014132423714 (increased with 500)
1073741823
3106
02: 1000 users created
02: replication forced
03: replication forced
02: rIDAvailablePool: 4611686014132426214 <---???? (this value would
not,
even after forcing replication!)
1073741823
5606
03: rIDAvailablePool: 4611686014132424714
1073741823
4106
02: 3001 users created
02: rIDAvailablePool: 4611686014132427714 (this value only changes when
the
value of 03 was higher than the previous value of 02!)
03: rIDAvailablePool: 4611686014132427714
#####################################
DCs: 01, 02, 03
01: site1 -> original rid master
02: site1
03: site1 -> new rid master after seizing
01: rIDAvailablePool: 4611686014132423214
02: rIDAvailablePool: 4611686014132423214
03: rIDAvailablePool: 4611686014132423214
03: disabled inbound REPL
01: 3000 users created
01: rIDAvailablePool: 4611686014132426214
02: rIDAvailablePool: 4611686014132426214
1073741823
5606
03: rIDAvailablePool: 4611686014132423214
1073741823
2606
01: down
03: enable inbound REPL
03: seized rid master
03: rIDAvailablePool: 4611686014132423714 (increased with 500)
1073741823
3106
02: 1000 users created
02: rIDAvailablePool: 4611686014132427214
03: rIDAvailablePool: 4611686014132427214
#######################################
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: dinsdag 31 mei 2005 10:31
To: [email protected]; Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
Hi Dean,
You are right... That 1 million is enough. I did not know that when
seizing
the RID master the ridavailablepool is increased automatically by 1
million.
Thanks for the info and sorry for the wrong info about the need to
manually
increase the RID available pool.
Is the automatic increased somehow depended on another variable? (like
number of DCs and/or number of days or something else) Or is it a fixed
value?
Cheers
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: dinsdag 31 mei 2005 1:15
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
It's already increased by 1 mil. (IIRC) as part of the seizure process,
do
you feel this is insufficient even when taking the replication outage
into
account?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Sunday, May 29, 2005 5:22 PM
To: [email protected]; Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
Because you are seizing and not transfering and as the NEW Rid Manager
object may not be up-to-date on the remaining DCs (because replication
halted/stopped for some reason) you may want to increase the
Ridavailablepool attribute (on the Rid Manager object in the domain) for
the
NEW RID MANAGER FSMO (just to be sure)
Cheers,
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: vrijdag 27 mei 2005 22:53
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
Yes, but a fleeting one in most cases. You'll need to seize the roles
assigned to the errant DC. In terms of who owns the roles, you are only
interested in the perspective of the other DCs.
The PDC FSMO serves many purposes and is indeed an important DC but even
it
can tolerate downtime.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 4:25 PM
To: [email protected]
Subject: RE: [ActiveDir] Error in PDC Operations Master
Because I believe my errant DC to by my PDC will that be a problem
demoting
it and then re-introducing it to the domain?
Here is a screen shot of my Operations Masters...
http://www.mjbdesignz.com/temp/OM.htm
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, May 27, 2005 12:39 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
That's what I expected.
Choice 1 -
Mod. the registry and permit the errant DC to re-enter the replication
topology (not recommended)
Choice 2 -
Forcibly demote the errant DC, cleanup its metadata and reintroduce it
through DCpromo
Caveats -
Choice 1: lingering objects may exist
Choice 2: you'll lose any changes locally introduced to the errant DC
that
occurred after its last successful replication attempt
?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 3:08 PM
To: [email protected]
Subject: RE: [ActiveDir] Error in PDC Operations Master
1. Number of DCs/Domain/Sites
3 Sites
-> Site A has DC1 & DC2
-> Site B DC3
-> Site C DC4
2. OS version of DCs
-> All DCs are running Windows 2003 Server Standard
3. Are the remaining DCs replicating successfully?
-> According to DC diag they all passed replications
-> They do all show in the DC diag the following:
DC=domain,DC=ewu,DC=edu
Last replication recieved from DC2 at 2005-03-23
02:00:40.
WARNING: This latency is over the Tombstone Lifetime of
60
days!
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, May 27, 2005 11:16 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
It seems the FSMO errors you're receiving are merely symptoms of another
more significant problem; my guess is that your DCs have been ignoring
one
another for quite some time, i.e. - not replicating.
Before proceeding, can you give me some more info. -
1. Number of DCs/Domain/Sites
2. OS version of DCs
3. Are the remaining DCs replicating successfully?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 2:05 PM
To: [email protected]
Subject: RE: [ActiveDir] Error in PDC Operations Master
Well, I have quite a few weird things going on.
Roles: (both DCs in same site)
DC2 = PDC role, RID pool manager
DC1 = Infrastructure owner, schema owner, domain role owner
When I look at the Operations Masters...
-> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure
-> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for
Infrastructure
So neither DC1 or DC2 know who the PDC is. (It should be DC2)
When I use the "netdom query fsmo":
-> from DC1 it shows the roles as it should like above from DC2 it shows
-> the PDC role as DC1 rather than itself
1. When I try to manually replicate from DC2 to DC1 I get an error about
"Target Principal Name Incorrect"
After completing Article ID 288167 about resetting password (netdom
resetpwd) and trying to replicate, I get a tombstone error between the 2
domains saying it has exceeded tombstone lifetime and cannot continue.
2. When I try to manually replicate from DC1 to DC2 I get the same error
about "Target Principal Name Incorrect" but this is where I've stopped
because DC2 is supposed to be the PDC and the KB article makes it sound
like
the PW should only be reset on the non PDC machines.
All in all, my PDC seems to have amnesia and doesn't seem to remember
that
it's the PDC
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, May 27, 2005 8:53 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
What does the machine question report within its event log?
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 11:32 AM
To: [email protected]
Subject: RE: [ActiveDir] Error in PDC Operations Master
My Dcdiag output shows the following error:
#############################
Starting test: KnowsOfRoleHolders
Warning: STF2 is the PDC Owner, but is not responding to DS RPC
Bind.
[STF2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: STF2 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: STF2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: STF2 is the Rid Owner, but is not responding to LDAP
Bind.
......................... STF1 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... STF1 failed test RidManager
Starting test: frsevent
There are warning or error events within the last 24 hours
after
the
SYSVOL has been shared. Failing SYSVOL replication problems
may
cause
Group Policy problems.
......................... STF1 failed test frsevent
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... domain failed test FsmoCheck
############################# Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--------------------------------------+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--------------------------------------+
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Friday, May 27, 2005 8:12 AM
To: [email protected]
Subject: [ActiveDir] Error in PDC Operations Master
Hi,
My PDC just started acting up and is showing an error in the PDC box
under
Operations Master.
The only recent change that I can think of to the server was I
uninstalled &
re-installed the Certificate Authority 3 or 4 times, which was installed
on
the PDC.
Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
