MOVING RID MASTER

J

Janaka Sampath

Hi

my RID master says that rid pool is empty. actualy this RID master stop
responding some time back. but I was able to create new accounts using
existing pool. at the moment its giving the messeage that pool is empty. how
can I create a new RID master in my existing domain controler without
demoting the domain.

thank you
Janaka
 
P

Paul Bergson

Here is what we did but of course it is not published or supported. It is
what I would do given the same circumstances again though. There is a file
that is a needed, lookupdomaininfo.exe that could help in this situation. I
could possibly mail to you if you want it. Microsoft gave us this solution
it just isn't published.





1. Open a command prompt, type

"C:\> lookupdomaininfo.exe <NETBIOS NAME OF DOMAIN>"

(without the quotation marks), and then press "Enter" (without the
quotation

marks).



C:\>lookupdomaininfo.exe 2000domain.local

Domain 2000domain.local sid S-1-5-21-3876887770-3197127548-3224736908

binary domain sid has been put in domainsid.bin





2. Use LDP.EXE from the \Support\Tools directory of the Windows 2000
Server CDROM

to invalidate the RID Pool.



a. From the CONNECTION pull down menu, select the CONNECT command.
Enter the name

of the domain controller whose RID pool is to be invalidated.

Use port 389 for the connection.



b. From the CONNECTION pull down menu, select the BIND command. Enter
the account

and password for a domain administrator in the target domain



c. From the BROWSE command, select Modify.



d. Fill out the remainder of the MODIFY dialog as follows





1. DN: <Null>



2. Attribute: InvalidateRidPool



3. Values: Use the "Insert File" command point to the domainsid.bin
file created in

Step 2.



3. Press the "Enter" button to populate the "Entry List" command.



4. Press the "RUN" button.





5. Monitor event viewer.

a. After invalidating the RID pool, create a new user, computer or
group in the

"Active Directory Users and Computers" snap-in. The create may fail but will

initiate a request for a new RID pool.






--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Janaka Sampath

Thanks

If you could send me this lookupdomaininfo.exe tool ASAP

Thanks
janaka
 
J

Jorge de Almeida Pinto [MVP]

what is out of RIDs?

The DC ROLE itself does not have any RIDs to create security principals or
the RID MASTER ROLE has exhausted it pool of available RIDs within the
domain? (which would mean have already created billions of objects!)

RIDs are is requested and distributed in blocks of 500 RIDs. Each DC has at
least one block (RidpreviousAllocationpool). When that block has been
exhausted for 50% of its RIDs, the DC will ask a new block and store that in
the attribute called Ridallocationpool. When that block
(RidpreviousAllocationpool) is empty (exhausted for 100%) the block stored
in Ridallocationpool attribute will be moved to the
RidpreviousAllocationpool attribute and at that moment the RidAllocationpool
attribute will be empty. It will we used again when the
RidpreviousAllocationpool has been exhausted for 50%.

When you run:
DCDIAG /TEST:RIDMANAGER /V

This will show amongst other info:
* The available RID pool for the domain
* Who is the Rid master
* If a bind with the Rid master is successful
* Ridallocationpool (= the second pool of RIDs a DC has. A DC gets a second
pool when the first pool has passed 50%)
* RidpreviousAllocationpool (=the first pool used by the DC)
* RidNextRid (= the last used RID from the first pool)(and not the next rid
to be used as it looks like)

what is the output of the command in your case?
Any event ID errors in the event log? (like 16650 or something liek 166xx)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
P

Paul Bergson

Sent

Let me know if you recieved it or not.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP]"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top