AD Internals: Display RID Allocation Pools

In my previous post I wrote about a problem I had with duplicate RID Allocation pools.

But how do we get more insight into these RID Allocation pools?

The DCDIAG tool can display this information per domain controleler using the following syntax

Example output:

DCDiag Ridmanager Test

But where in Active Directory is this information stored and can we display it for all Domain Controllers at once for larger environments?

Let’s start with the Active Directory part, the System container has an object named RID Manager$:

ADSI Edit System Container

The fSMORoleOwner attribute holds the RID Master FSMO role owner.

rIDAvailablePool is a Large Integer (an 8 byte value) where the lower 4 bytes  are the From (Beginning of next RID pool to be allocated) and the higher 4 bytes are the To (Total number of RIDS that can be created in a domain) as displayed by dcdiag.

The Allocation Pools and the Next RID are kept by each server in a child object called RID Set. We can find the RID Set by querying the rIDSetReferences attribute which contains the LDAP path to the RID Set:

rIDSetReferences Attribute

The RID Set contains the other values we are looking for where rIDAllocationpool (the pool currently in use) and rIDPreviousAllocationpool (the pool that will be used next when the current pool is exhausted) are again Large Integers with a Low and a High part:

RID Set Properties

Now that we know where the values are stored we can write a script, I have chosen PowerShell.

First we connect to the (Default) domain and obtain the distinguishedName of the domain (DC=MyDomain, DC=local).

Now we can open RID Manager Object:

And query for the FSMO Role Owner:

From the RID Master we read the rIDAvailablePool attribute:

GetInteger8 is a helper function to read Integer8 (Large Integer) values from Active Directory:

We are going to store all RID Data in an array so we can use the Format options from PowerShell:

I wrote a function to gather and return the RID Data for a Domain Controller object:

Now we can Bind to the Domain Controllers OU, enumerate all children and gather the RID Data for them:

Last step is outputting the Data:

This is the data for my environment:

RID Data for the Domain

The complete script can be downloaded below.

rIDump (418)

Leave a Reply

  1. Can you help me a trouble ?
    My system having a error “The directory service has exhausted the pool of relative identifiers”. And I verify them by “dcdiag /v /test:ridmanager” command. And under is result:

    Starting test: RidManager
    * Available RID Pool for the Domain is 2130 to 1073741823
    * server1.sorimachi.com is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 1130 to 1629
    * rIDPreviousAllocationPool is 1130 to 1629
    * rIDNextRID: 1629
    * Warning :Next rid pool not allocated
    * Warning :There is less than 0% available RIDs in the current pool
    ……………………. SERVER1 passed test RidManager

    So, i want to change the rIDAllocationPool to larger.
    How can to change it, please help me!

    Thankyou so much.