"Domain controller has failed to obtain a new identifier pool" error event in Windows 2000 Server SP3 and earlier
Provided enough network connectivity to the RID operations master, a domain controller does not experience this condition unless the rate of RID consumption is quite high. For example, if the rate of security principal creation exceeds the domain controller's ability to acquire a new RID pool from the RID operations master, the domain controller temporarily cannot service security principal creations. Upon successful RID pool acquisition, this condition stops, and security principal creation can resume.
Events 16645 and optionally event 16651 are logged in the Directory services event log for domain controllers that cannot acquire new RID pools. The message text for each event is:
Individual domain controllers maintain local RID pools that are obtained from a global pool on the RID operations master. By default, RID pools are obtained in increments of 500. Windows 2000 domain controllers request a new RID when 20 percent of the RID pool remains. Domain controllers in the E-commerce folder or large scale ADMT migration environments can create large numbers of security principals in a short period of time. This may use up their local RID pools more quickly than conventional enterprise deployments.
Problems occur when a domain controller's local RID pool is used up and cannot obtain a new pool from the RID operations master because of problems with itself. The RID operations master, the network, and the domain controller then cannot create additional security principals and stop advertising domain controller services until a new local pool is obtained.
To reduce the chance of this loss of service, administrators can increase the number of RIDs that are allocated by the RID operations master in each pool by adjusting the REG_DWORD RID Block Size value on domain controllers under the following registry key:
With Windows 2000 Service Pack 4 (SP4), the threshold at which domain controllers start to request a new RID pool has been increased to 50%. For example, a domain controller with the default RID block size of 500 would start to request a new pool when 250 (50 percent of 500) RIDs have been consumed. A pre-SP4 domain controller with the same RID block size of 500 would request a new pool when 100 (20 percent) of the default block of 500 RIDS remain.
The change means that domain controllers are a little more resilient to temporary outages of the RID Master at default settings, and the RID pool size is administrator configurable. Note that the global RID space, and the number of users, computers and groups you can create, is finite for each domain (approximately 2^30 RIDs exists). After the domain wide RID pool is used up, no new security principals can be created in the domain. Because of this, there are risks associated with increasing the "RID Block Size." For example, every time a domain controller is decommissioned through graceful or forceful demotion, or because of a hardware failure, its RIDs are all lost. Similarly, every time a domain controller is restored from backup, its RIDs are all invalidated to help prevent more than one user account from being assigned the same RID.
Outward facing directory configurations are a notable exception to leaving the default RID values. In these configurations, the rate of security principal creation is high, the RID space is very centralized because few domain controllers are needed, and uptime is frequently equivalent to the ability to service account creations. Because of this, availability is generally measured by how long or how many security principals can be created when the RID operations master is unavailable. This time can be greatly increased if the average number of RIDs allocated locally is larger.
For outward facing deployment configurations, or other deployments with special needs, the block size was exposed as a configuration parameter. Windows 2000 SP4 and the Windows Server 2003 family expose a registry configuration that can be used to increase the RID pool size. This makes it possible for each domain controller to create a larger number of security principals without contacting the RID operations master.
There is no benefit to changing the RID block size from the default when Active Directory is deployed as a general purpose NOS directory. In such cases Microsoft recommends the default configuration.
If you do elect to use a different RID block size, the change is only configured on the RID operations master. However, to simplify the management of this setting, configure the value identically on all domain controllers in the target domain. This way if the RID operations master is transferred to another domain controller, the RID block size will be consistent without additional updates and System State Restores will not unintentionally overwrite the intended setting.
This registry setting is used by the RID operations master to determine what size RID pool to return to a requesting domain controller including RIDS for the local RID pool on the RID FSMO:
Article ID: 316201 - Last Review: 10/30/2006 23:20:37 - Revision: 4.4
- kbwin2ksp4fix kbsecurity kbbug kbfix kbwin2000presp4fix KB316201