rid master fsmo role cover

FSMO Role: RID Master


The RID master (Relative Identifier) is one of three FSMO domain-level roles, i.e. each domain must have one domain controller which owns this role. A domain controller with the RID Master role is responsible for allocating a unique RID sequence to each domain controller in its domain, as well as for the correctness of moving objects from one domain to another. In other words, this role is responsible for providing all Active Directory users, computers and groups with a unique SID (Security Identifier) that identifies a user, group, domain or computer account.

When Administrator creates a new object in Active Directory (new security principle), it is assigned a unique Secure Identifier (SID). SID of the new object is composed of domain SID and relative ID (RID), which is allocated from the RID pool of the current domain controller.

The RID master is responsible for issuing these unique domain identifiers. Relative identifiers are issued to each controller in the domain by pools of 500 pieces at a time (by default). If necessary, the number of RIDs issued and the request threshold can be changed. If there are less than 50% of the identifiers left in the pool, the DC with the owner of RID master role replenishes it.

READ ALSO  How to transfer FSMO Roles using PowerShell

sub authorities uniqueness

For example, display a list containing SID of all domain users:

get-aduser –filter *|fl sid

filter sid

Using the following command, you can view the status of the RID master:

Dcdiag.exe /TEST:RidManager /v

test rid manager

You can also view the current range of identifiers for current DC. By the way, on the other domain controllers the pool will differ (because each controller in the domain is given a unique pool).

Starting test: RidManager

* Available RID Pool for the Domain is 3101 to 1073741823

* dc01.domain.loc is the RID Master

* DsBind with RID Master was successful

* rIDAllocationPool is 2601 to 3100

* rIDPreviousAllocationPool is 1101 to 1600

* rIDNextRID: 1436

Another zone of responsibility for RID Master – moving objects between domains. RID Master ensures that you can’t simultaneously move one object to two different domains. Otherwise, there is a situation where two domains with two identical objects with the same GUID, which is fraught with the most unexpected consequences.

When a security object moves from one domain to another, it assigns a new SID in the target domain, and the old one remains for the history and is written to the specially created attribute SIDHistory. This attribute stores the entire history of the change of security identifiers, it can contain more than one value.

READ ALSO  How to hide specific OU in Active Directory

According to Microsoft Best Practices, it is recommended:

  • Keep the RID master and PDC emulator FSMO roles together on one domain controller.
  • If for some reason you’ve lost the RID master server, you can forcefully seize this role on any other domain controller, but remember that after that the original RID master should not appear on the network
  • On the domain controllers log monitor events with EventID 16653-16658. They signalizing about the problems in the work of the RID master.
  • If RID is unavailable, it will not be possible (after a while) to create new objects in AD. The time depends on the remaining number of free SIDs that are issued by packs of 500 pieces.

You can change the RID role owner by using the Active Directory Users and Computers snap-in.

  1. Open ADUC console and connect to the DC to which you want to transfer the role (Change domain controller).
  2. Right click on the root of the domain and select Operations Masters.
    rid_master fsmo role oper master
  3. On the RID tab press Change button.
  4. After that you must confirm the transfer and receive a notification of the successful transfer of the RID role.

You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...