An update is available to detect and prevent too much consumption of the global RID pool on a domain controller that is running Windows Server 2008 R2

Article translations Article translations
Article ID: 2618669 - View products that this article applies to.
Expand all | Collapse all

On This Page

Introduction

Active Directory Domain Services (AD DS) assigns unique security identifiers (SIDs) to users, computers, groups, and trusts that are created in Active Directory. SIDs consist of a domain prefix concatenated with a monotonically increasing relative identifier (RID). Each Active Directory domain is assigned a global RID pool that consists of 1 billion RIDs. To enable each Active Directory domain controller to create new security principals, each domain controller is allocated current and standby RID pools from the RID master.

When the global RID pool for the domain and for the local pools on individual domain controllers in a domain is exhausted, additional users, computers, and groups can no longer be created in the domain. To work around this issue, you can create and migrate objects and applications to a new domain.

This article describes a condition in which a logic failure may result in too many RID pool requests. This leads to global RID pool exhaustion.

Symptoms

Under certain rare circumstances, Windows Server 2008 R2 domain controllers unexpectedly consume a large amount of RID resources. This behavior exhausts the global RID pool. When this issue occurs, you experience one or more of the following issues:

  • RIDs in the global RID pool are continually being consumed over time.
  • The number of RIDs that are consumed in the global RID pool is is greater than expected, considering the number of security principals that are intentionally created during the lifetime of the domain.
  • The DCDIAG RID Manager test indicates that a search for the RidSetReferences attribute fails. Additionally, you receive the following error message:
    Starting test: RidManager
    Warning: attribute rIdSetReferences missing from
    CN=name,OU=Domain Controllers,DC=name,DC=name,DC=name,DC=name
    Could not get Rid set Reference :failed with 8481:
    The search failed to retrieve attributes from the database.
    ......................... name failed test RidManagerThis hotfix enables the ability to detect and prevent this behavior on Windows Server 2008 R2-based domain controllers.

Cause

Under certain rare circumstances, a domain controller may issue recurring requests for RIDs from the global RID pool every 30 seconds.

If repetitive requests for RID pool updates are allowed to continue for a significant period of time, the global RID pool may experience too much RID consumption. In extreme cases, the global RID pool may be exhausted completely.

Resolution


To prevent too much RID consumption in the global RID pool, we recommend that you take the following actions:
  • Install this hotfix on all existing Windows Server 2008 R2 domain controllers.
  • Integrate the update into the Windows Server 2008 R2 installation media. By doing this, you guarantee that future domain controllers will also have this update.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.1.760 0 . 16xxxWindows Server 2008 R2RTMGDR
    6.1.760 0 . 21xxxWindows Server 2008 R2RTMLDR
    6.1.760 1 . 21xxxWindows Server 2008 R2SP1LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Ntdsa.mofNot applicable227,76510-Jun-200920:34Not applicable
Ntdsai.dll6.1.7600.210622,726,40001-Oct-201105:34x64
Ntdsa.mofNot applicable227,76505-Nov-201001:54Not applicable
Ntdsai.dll6.1.7601.218302,726,40001-Oct-201105:27x64
Samlib.dll6.1.7600.16385107,00814-Jul-200901:41x64
Samsrv.dll6.1.7600.21062761,34401-Oct-201105:34x64
Samsrv.mofNot applicable62,54110-Jun-200920:35Not applicable
Samlib.dll6.1.7600.16385107,00814-Jul-200901:41x64
Samsrv.dll6.1.7601.21830761,34401-Oct-201105:27x64
Samsrv.mofNot applicable62,54110-Jun-200920:35Not applicable
Samlib.dll6.1.7600.2106260,92801-Oct-201104:39x86
Samsrv.mofNot applicable62,54122-Jul-200923:04Not applicable
Samlib.dll6.1.7601.2183060,92801-Oct-201106:08x86
Samsrv.mofNot applicable62,54112-Nov-201023:39Not applicable

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameAmd64_1b4b0f08a8d616d8a0a75fe87ce3f871_31bf3856ad364e35_6.1.7601.21830_none_e9f6d269a40abf6a.manifest
File versionNot applicable
File size1,070
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_681eae25416d6ead3a157d966addd004_31bf3856ad364e35_6.1.7600.21062_none_35fc4a79ed798327.manifest
File versionNot applicable
File size714
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_82accd49bcb301dc1e175a6aab832e1b_31bf3856ad364e35_6.1.7600.21062_none_1e9cacce64f6bb6f.manifest
File versionNot applicable
File size1,070
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_8ae184f08b5e5be7bddc81c67869a446_31bf3856ad364e35_6.1.7601.21830_none_8396ac6d0ac66b44.manifest
File versionNot applicable
File size714
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_a5893f0632752b36668912f5ac6bbd28_31bf3856ad364e35_6.1.7600.21062_none_4db38a7fb943a425.manifest
File versionNot applicable
File size716
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_ad089740775a6ad30dd176d6f0624a24_31bf3856ad364e35_6.1.7601.21830_none_35f43631ee878038.manifest
File versionNot applicable
File size716
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.1.7600.21062_none_4d5750f8ebe40c2e.manifest
File versionNot applicable
File size3,531
Date (UTC)01-Oct-2011
Time (UTC)06:19
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.1.7601.21830_none_4f5c46f2e8f3bb7e.manifest
File versionNot applicable
File size3,531
Date (UTC)01-Oct-2011
Time (UTC)07:18
PlatformNot applicable
File nameAmd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.1.7600.21062_none_0e7f6869d3b5d5f3.manifest
File versionNot applicable
File size99,404
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameAmd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.1.7601.21830_none_10845e63d0c58543.manifest
File versionNot applicable
File size99,404
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameUpdate.mum
File versionNot applicable
File size5,425
Date (UTC)03-Oct-2011
Time (UTC)11:16
PlatformNot applicable
File nameWow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.1.7600.21062_none_18d412bc081697ee.manifest
File versionNot applicable
File size81,227
Date (UTC)01-Oct-2011
Time (UTC)04:59
PlatformNot applicable
File nameWow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.1.7601.21830_none_1ad908b60526473e.manifest
File versionNot applicable
File size81,227
Date (UTC)01-Oct-2011
Time (UTC)06:29
PlatformNot applicable

Properties

Article ID: 2618669 - Last Review: December 28, 2012 - Revision: 3.0
Applies to
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
Keywords: 
kbautohotfix kbqfe kbhotfixserver kbfix kbsurveynew kbexpertiseadvanced KB2618669

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com