Windows 2000 domain controllers may not be able to create
user accounts, computer accounts, or security groups if the local RID pool is
used up and cannot obtain a new RID pool from the RID operations master. The
domain controller cannot be discovered by network clients that are trying to
perform LDAP queries or authentication requests.
network connectivity to the RID operations master, a domain controller does not
experience this condition unless the rate of RID consumption is quite high. For
example, if the rate of security principal creation exceeds the domain
controller's ability to acquire a new RID pool from the RID operations master,
the domain controller temporarily cannot service security principal creations.
Upon successful RID pool acquisition, this condition stops, and security
principal creation can resume.
Events 16645 and optionally event
16651 are logged in the Directory services event log for domain controllers
that cannot acquire new RID pools. The message text for each event is:
The maximum account identifier allocated to
this domain controller has been assigned. The domain controller has failed to
obtain a new identifier pool. A possible reason for this is that the domain
controller has been unable to contact the master domain controller. Account
creation on this controller will fail until a new pool has been allocated.
There may be network or connectivity problems in the domain, or the master
domain controller may be offline or missing from the domain. Verify that the
master domain controller is running and connected to the domain.
The request for a new account-identifier
pool failed. The operation will be retried until the request succeeds. The
error is %n " %1 "
Users, computers, and groups in Active Directory are
collectively known as "security principals." Security principals are assigned
unique alpha-numeric numeric strings that are called security identifiers, or
SIDs. The SID for a security principal is made up of a domain-wide SID
concatenated with a unique, relative identifier (RID). The RID is allocated by
a Windows 2000 domain controller in the domain at the time the security
principal is created.
Individual domain controllers maintain local
RID pools that are obtained from a global pool on the RID operations master. By
default, RID pools are obtained in increments of 500. Windows 2000 domain
controllers request a new RID when 20 percent of the RID pool remains. Domain
controllers in the E-commerce folder or large scale ADMT migration environments
can create large numbers of security principals in a short period of time. This
may use up their local RID pools more quickly than conventional enterprise
Problems occur when a domain controller's local RID pool
is used up and cannot obtain a new pool from the RID operations master because
of problems with itself. The RID operations master, the network, and the domain
controller then cannot create additional security principals and stop
advertising domain controller services until a new local pool is
To reduce the chance of this loss of service,
administrators can increase the number of RIDs that are allocated by the RID
operations master in each pool by adjusting the REG_DWORD RID Block Size
value on domain controllers under the following registry key:
However, because of a flaw in the RID threshold
compare logic, "RID Block Size" values beyond 500 were effectively ignored and
reverted back to the default allocation of 500.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
With Windows 2000 Service Pack 4 (SP4), the
threshold at which domain controllers start to request a new RID pool has been
increased to 50%. For example, a domain controller with the default RID block
size of 500 would start to request a new pool when 250 (50 percent of 500) RIDs
have been consumed. A pre-SP4 domain controller with the same RID block size of
500 would request a new pool when 100 (20 percent) of the default block of 500
The change means that domain controllers are a little
more resilient to temporary outages of the RID Master at default settings, and
the RID pool size is administrator configurable. Note that the global RID
space, and the number of users, computers and groups you can create, is finite
for each domain (approximately 2^30 RIDs exists). After the domain wide RID
pool is used up, no new security principals can be created in the domain.
Because of this, there are risks associated with increasing the "RID Block
Size." For example, every time a domain controller is decommissioned through
graceful or forceful demotion, or because of a hardware failure, its RIDs are
all lost. Similarly, every time a domain controller is restored from backup,
its RIDs are all invalidated to help prevent more than one user account from
being assigned the same RID.
Outward facing directory configurations
are a notable exception to leaving the default RID values. In these
configurations, the rate of security principal creation is high, the RID space
is very centralized because few domain controllers are needed, and uptime is
frequently equivalent to the ability to service account creations. Because of
this, availability is generally measured by how long or how many security
principals can be created when the RID operations master is unavailable. This
time can be greatly increased if the average number of RIDs allocated locally
For outward facing deployment configurations, or other
deployments with special needs, the block size was exposed as a configuration
parameter. Windows 2000 SP4 and the Windows Server 2003 family expose a
registry configuration that can be used to increase the RID pool size. This
makes it possible for each domain controller to create a larger number of
security principals without contacting the RID operations master.
There is no benefit to changing the RID block size from the default when Active
Directory is deployed as a general purpose NOS directory. In such cases
Microsoft recommends the default configuration.
If you do elect to
use a different RID block size, the change is only configured on the RID
operations master. However, to simplify the management of this setting,
configure the value identically on all domain controllers in the target domain.
This way if the RID operations master is transferred to another domain
controller, the RID block size will be consistent without additional updates
and System State Restores will not unintentionally overwrite the intended
This registry setting is used by the RID operations master
to determine what size RID pool to return to a requesting domain controller
including RIDS for the local RID pool on the RID FSMO:
RID Block Size (REG_DWORD)
The system creates this registry key
automatically and its initial value is 0
. In this state, the internal default of 500 is used. Setting this
value to less than 500 has no effect, and the default setting is still used. No
maximum block size is enforced. However, a value that is too large has an
adverse affect on the longevity of the domain.
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.