MOVING RID MASTER
in [Active Directory]
|
Prev: frs problems
Next: Kerberos Error Message
From: Jorge de Almeida Pinto [MVP] on 26 Jan 2006 10:05 what is out of RIDs? The DC ROLE itself does not have any RIDs to create security principals or the RID MASTER ROLE has exhausted it pool of available RIDs within the domain? (which would mean have already created billions of objects!) RIDs are is requested and distributed in blocks of 500 RIDs. Each DC has at least one block (RidpreviousAllocationpool). When that block has been exhausted for 50% of its RIDs, the DC will ask a new block and store that in the attribute called Ridallocationpool. When that block (RidpreviousAllocationpool) is empty (exhausted for 100%) the block stored in Ridallocationpool attribute will be moved to the RidpreviousAllocationpool attribute and at that moment the RidAllocationpool attribute will be empty. It will we used again when the RidpreviousAllocationpool has been exhausted for 50%. When you run: DCDIAG /TEST:RIDMANAGER /V This will show amongst other info: * The available RID pool for the domain * Who is the Rid master * If a bind with the Rid master is successful * Ridallocationpool (= the second pool of RIDs a DC has. A DC gets a second pool when the first pool has passed 50%) * RidpreviousAllocationpool (=the first pool used by the DC) * RidNextRid (= the last used RID from the first pool)(and not the next rid to be used as it looks like) what is the output of the command in your case? Any event ID errors in the event log? (like 16650 or something liek 166xx) -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ----------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- "Janaka Sampath" <janakaj(a)lankaequities.com> wrote in message news:OHWAWDjIGHA.1088(a)tk2msftngp13.phx.gbl... > Hi > > my RID master says that rid pool is empty. actualy this RID master stop > responding some time back. but I was able to create new accounts using > existing pool. at the moment its giving the messeage that pool is empty. > how > can I create a new RID master in my existing domain controler without > demoting the domain. > > thank you > Janaka > >
From: Paul Bergson on 26 Jan 2006 12:38 Sent Let me know if you recieved it or not. -- Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA This posting is provided "AS IS" with no warranties, and confers no rights. "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots(a)gmail.com> wrote in message news:evDsixpIGHA.2472(a)TK2MSFTNGP10.phx.gbl... > Paul, > > Could you mail that util to me please? > > Thanks! > > -- > > Cheers, > (HOPEFULLY THIS INFORMATION HELPS YOU!) > # Jorge de Almeida Pinto # > MVP Windows Server - Directory Services > BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx > ----------------------------------------------------------------------------- > * This posting is provided "AS IS" with no warranties and confers no > rights! > * Always test before implementing! > ----------------------------------------------------------------------------- > > > ----------------------------------------------------------------------------- > "Paul Bergson" <pbergson(a)allete.com> wrote in message > news:%23mYZsdjIGHA.532(a)TK2MSFTNGP15.phx.gbl... >> Here is what we did but of course it is not published or supported. It is >> what I would do given the same circumstances again though. There is a >> file that is a needed, lookupdomaininfo.exe that could help in this >> situation. I could possibly mail to you if you want it. Microsoft gave >> us this solution it just isn't published. >> >> >> >> >> >> 1. Open a command prompt, type >> >> "C:\> lookupdomaininfo.exe <NETBIOS NAME OF DOMAIN>" >> >> (without the quotation marks), and then press "Enter" (without the >> quotation >> >> marks). >> >> >> >> C:\>lookupdomaininfo.exe 2000domain.local >> >> Domain 2000domain.local sid S-1-5-21-3876887770-3197127548-3224736908 >> >> binary domain sid has been put in domainsid.bin >> >> >> >> >> >> 2. Use LDP.EXE from the \Support\Tools directory of the Windows >> 2000 Server CDROM >> >> to invalidate the RID Pool. >> >> >> >> a. From the CONNECTION pull down menu, select the CONNECT command. >> Enter the name >> >> of the domain controller whose RID pool is to be invalidated. >> >> Use port 389 for the connection. >> >> >> >> b. From the CONNECTION pull down menu, select the BIND command. >> Enter the account >> >> and password for a domain administrator in the target domain >> >> >> >> c. From the BROWSE command, select Modify. >> >> >> >> d. Fill out the remainder of the MODIFY dialog as follows >> >> >> >> >> >> 1. DN: <Null> >> >> >> >> 2. Attribute: InvalidateRidPool >> >> >> >> 3. Values: Use the "Insert File" command point to the >> domainsid.bin file created in >> >> Step 2. >> >> >> >> 3. Press the "Enter" button to populate the "Entry List" command. >> >> >> >> 4. Press the "RUN" button. >> >> >> >> >> >> 5. Monitor event viewer. >> >> a. After invalidating the RID pool, create a new user, computer or >> group in the >> >> "Active Directory Users and Computers" snap-in. The create may fail but >> will >> >> initiate a request for a new RID pool. >> >> >> >> >> >> >> -- >> >> >> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> >> "Janaka Sampath" <janakaj(a)lankaequities.com> wrote in message >> news:OHWAWDjIGHA.1088(a)tk2msftngp13.phx.gbl... >>> Hi >>> >>> my RID master says that rid pool is empty. actualy this RID master stop >>> responding some time back. but I was able to create new accounts using >>> existing pool. at the moment its giving the messeage that pool is empty. >>> how >>> can I create a new RID master in my existing domain controler without >>> demoting the domain. >>> >>> thank you >>> Janaka >>> >>> >> >> > >
From: Jorge de Almeida Pinto [MVP] on 26 Jan 2006 13:59
got it thanks -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ----------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- "Paul Bergson" <pbergson(a)allete_nospam.com> wrote in message news:eSq$b9pIGHA.3936(a)TK2MSFTNGP12.phx.gbl... > Sent > > Let me know if you recieved it or not. > > -- > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > "Jorge de Almeida Pinto [MVP]" > <SubstituteThisWithMyFullNameSeparatedByDots(a)gmail.com> wrote in message > news:evDsixpIGHA.2472(a)TK2MSFTNGP10.phx.gbl... >> Paul, >> >> Could you mail that util to me please? >> >> Thanks! >> >> -- >> >> Cheers, >> (HOPEFULLY THIS INFORMATION HELPS YOU!) >> # Jorge de Almeida Pinto # >> MVP Windows Server - Directory Services >> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx >> ----------------------------------------------------------------------------- >> * This posting is provided "AS IS" with no warranties and confers no >> rights! >> * Always test before implementing! >> ----------------------------------------------------------------------------- >> >> >> ----------------------------------------------------------------------------- >> "Paul Bergson" <pbergson(a)allete.com> wrote in message >> news:%23mYZsdjIGHA.532(a)TK2MSFTNGP15.phx.gbl... >>> Here is what we did but of course it is not published or supported. It >>> is what I would do given the same circumstances again though. There is a >>> file that is a needed, lookupdomaininfo.exe that could help in this >>> situation. I could possibly mail to you if you want it. Microsoft gave >>> us this solution it just isn't published. >>> >>> >>> >>> >>> >>> 1. Open a command prompt, type >>> >>> "C:\> lookupdomaininfo.exe <NETBIOS NAME OF DOMAIN>" >>> >>> (without the quotation marks), and then press "Enter" (without the >>> quotation >>> >>> marks). >>> >>> >>> >>> C:\>lookupdomaininfo.exe 2000domain.local >>> >>> Domain 2000domain.local sid S-1-5-21-3876887770-3197127548-3224736908 >>> >>> binary domain sid has been put in domainsid.bin >>> >>> >>> >>> >>> >>> 2. Use LDP.EXE from the \Support\Tools directory of the Windows >>> 2000 Server CDROM >>> >>> to invalidate the RID Pool. >>> >>> >>> >>> a. From the CONNECTION pull down menu, select the CONNECT >>> command. Enter the name >>> >>> of the domain controller whose RID pool is to be invalidated. >>> >>> Use port 389 for the connection. >>> >>> >>> >>> b. From the CONNECTION pull down menu, select the BIND command. >>> Enter the account >>> >>> and password for a domain administrator in the target domain >>> >>> >>> >>> c. From the BROWSE command, select Modify. >>> >>> >>> >>> d. Fill out the remainder of the MODIFY dialog as follows >>> >>> >>> >>> >>> >>> 1. DN: <Null> >>> >>> >>> >>> 2. Attribute: InvalidateRidPool >>> >>> >>> >>> 3. Values: Use the "Insert File" command point to the >>> domainsid.bin file created in >>> >>> Step 2. >>> >>> >>> >>> 3. Press the "Enter" button to populate the "Entry List" command. >>> >>> >>> >>> 4. Press the "RUN" button. >>> >>> >>> >>> >>> >>> 5. Monitor event viewer. >>> >>> a. After invalidating the RID pool, create a new user, computer >>> or group in the >>> >>> "Active Directory Users and Computers" snap-in. The create may fail but >>> will >>> >>> initiate a request for a new RID pool. >>> >>> >>> >>> >>> >>> >>> -- >>> >>> >>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA >>> >>> This posting is provided "AS IS" with no warranties, and confers no >>> rights. >>> >>> >>> "Janaka Sampath" <janakaj(a)lankaequities.com> wrote in message >>> news:OHWAWDjIGHA.1088(a)tk2msftngp13.phx.gbl... >>>> Hi >>>> >>>> my RID master says that rid pool is empty. actualy this RID master stop >>>> responding some time back. but I was able to create new accounts using >>>> existing pool. at the moment its giving the messeage that pool is >>>> empty. how >>>> can I create a new RID master in my existing domain controler without >>>> demoting the domain. >>>> >>>> thank you >>>> Janaka >>>> >>>> >>> >>> >> >> > > |