AD Internals: Reset RID Allocation Pool

A few days ago I wrote about how RID Allocation Pools work in Active Directory (see AD Internals: Display RID Allocation Pools)

The article includes a script to dump all RID information for the whole domain. I will be using this script, rIDump.ps1 in this article.

In my test environment I had a problem with the RID Allocation Pool on one of the Domain Controllers. I noticed this because I had some duplicate SID’s in the domain.

So I needed to force this Domain Controller to re-allocate a block of RID’s and I wrote a PowerShell script, rIDAlloc.ps1,  to do that:

Before I go on with the script I will explain how we can force a Domain Controller to re-allocate a RID Pool.

First we need to obtain the Domain SID, we can do this by grabbing the objectSid attribute:

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomainSid = $objDomain.objectSid

Then we need to write the Domain Sid to a special attribute called invalidateRidPool on the directory root (RootDSE).

After writing this special value, the rIDPreviousAllocationPool value is reset to 0.

Let’s check this with the riDump script!

Before writing the invalidateRidPool attribute (on DC001):

RidAvailablePool: from 50605 to 1073741823

DC      rIDAllocFrom   rIDAllocTo rIDPrevAlloc rIDPrevAlloc   rIDNextRID
                                               From           To
________________________________________________________________________
DC001          50105        50604        50105        50604        50105
DC002          48105        48604        48105        48604        48110

Let’s run the script and select DC001:

The script outputs:

Domain: DC=zorg,DC=local
Netbios name: zorg
Selected: dc001.zorg.local
Invalidating RID Pool
Commiting Changes

Now we rerun the rIDump script:

RidAvailablePool: from 50605 to 1073741823

DC      rIDAllocFrom   rIDAllocTo rIDPrevAlloc rIDPrevAlloc   rIDNextRID
                                               From           To
________________________________________________________________________
DC001          50105        50604            0            0            0
DC002          48105        48604        48105        48604        48110

In the System EventLog on the Domain Controller the following event will be generated:

Now we have to create a new object, I did that with Active Directory Users & Computers (don’t forget to bind to the Domain Controller you have just resetted) and create any dummy user.

You will get the following error message:

At this point, you can can cancel the creation of the dummy user (nothing has been created yet) because after this error, the Domain Controller has allocated a new RID Pool.

We can verify this with rIDump:

RidAvailablePool: from 51105 to 1073741823

DC      rIDAllocFrom  rIDAllocTo rIDPrevAlloc rIDPrevAlloc  rIDNextRID
                                         From           To
________________________________________________________________________
DC001          50605       51104        50605        51104       50605
DC002          48105       48604        48105        48604       48110

 

Both the rIDump and the rIDAlloc scripts can be downloaded freely from the Denamik website.