An update is available to detect and prevent too much consumption of the global RID pool on a domain controller

Applies to: Windows Server 2019Windows Server 2016Windows Server 2012 R2

Introduction


Active Directory Domain Services (AD DS) assigns unique security identifiers (SIDs) to users, computers, groups, and trusts that are created in Active Directory. SIDs consist of a domain prefix concatenated with a monotonically increasing relative identifier (RID). Each Active Directory domain is assigned a global RID pool that consists of 1 billion RIDs. To enable each Active Directory domain controller to create new security principals, each domain controller is allocated current and standby RID pools from the RID master.

When the global RID pool for the domain and for the local pools on individual domain controllers in a domain is exhausted, additional users, computers, and groups can no longer be created in the domain. To work around this issue, you can create and migrate objects and applications to a new domain.

This article describes a condition in which a logic failure may result in too many RID pool requests. This leads to global RID pool exhaustion.

Symptoms


Under certain rare circumstances, Active Directory domain controllers may unexpectedly consume a large amount of RID resources. This behavior exhausts the global RID pool. When this issue occurs, you experience one or more of the following issues:
 
  • RIDs in the global RID pool are continually being consumed over time.
  • The number of RIDs that are consumed in the global RID pool is is greater than expected, considering the number of security principals that are intentionally created during the lifetime of the domain.
  • The DCDIAG RID Manager test indicates that a search for the RidSetReferences attribute fails. Additionally, you receive the following error message:
    Starting test: RidManager
    Warning: attribute rIdSetReferences missing from
    CN=name,OU=Domain Controllers,DC=name,DC=name,DC=name,DC=name
    Could not get Rid set Reference :failed with 8481:
    The search failed to retrieve attributes from the database.
    ......................... name failed test RidManager

The hotfix in KB 2618669 enables the ability to detect and prevent this behavior on Windows Server 2008 R2-based domain controllers.

This behavior is included in the RTM releases of 

  • OS versions released after Windows Server 2019 
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Cause


Under certain rare circumstances, a domain controller may issue recurring requests for RIDs from the global RID pool every 30 seconds.

If repetitive requests for RID pool updates are allowed to continue for a significant period of time, the global RID pool may experience too much RID consumption. In extreme cases, the global RID pool may be exhausted completely.

Resolution


To prevent too much RID consumption in the global RID pool, we recommend that you take the following actions:
  • Install the latest monthly update that is released after (September 2016, KB3185278) on all existing Windows Server 2008 R2 domain controllers.
  • Integrate the update into the Windows Server 2008 R2 installation media. By doing this, you guarantee that future domain controllers will also have this update.
  • Deploy the Active Directory role on newer OS versions that contain this functionality in the RTM release.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
 
824684 Description of the standard terminology that is used to describe Microsoft software updates