rid master fsmo role cover

FSMO Role: RID Master

The RID master (Relative Identifier) is one of three FSMO domain-level roles, i.e. each domain must have one domain controller which owns this role. A domain controller with the RID Master role is responsible for allocating a unique RID sequence to each domain controller in its domain, as well as for the correctness of moving objects from one domain to another. In other words, this role is responsible for providing all Active Directory users, computers and groups with a unique SID (Security Identifier) that identifies a user, group, domain or computer account.

When Administrator creates a new object in Active Directory (new security principle), it is assigned a unique Secure Identifier (SID). SID of the new object is composed of domain SID and relative ID (RID), which is allocated from the RID pool of the current domain controller.

The RID master is responsible for issuing these unique domain identifiers. Relative identifiers are issued to each controller in the domain by pools of 500 pieces at a time (by default). If necessary, the number of RIDs issued and the request threshold can be changed. If there are less than 50% of the identifiers left in the pool, the DC with the owner of RID master role replenishes it.

sub authorities uniqueness

For example, display a list containing SID of all domain users:

get-aduser –filter *|fl sid

filter sid

Using the following command, you can view the status of the RID master:

Dcdiag.exe /TEST:RidManager /v

test rid manager

You can also view the current range of identifiers for current DC. By the way, on the other domain controllers the pool will differ (because each controller in the domain is given a unique pool).

Starting test: RidManager

* Available RID Pool for the Domain is 3101 to 1073741823

* dc01.domain.loc is the RID Master

* DsBind with RID Master was successful

* rIDAllocationPool is 2601 to 3100

* rIDPreviousAllocationPool is 1101 to 1600

* rIDNextRID: 1436

Another zone of responsibility for RID Master – moving objects between domains. RID Master ensures that you can’t simultaneously move one object to two different domains. Otherwise, there is a situation where two domains with two identical objects with the same GUID, which is fraught with the most unexpected consequences.

When a security object moves from one domain to another, it assigns a new SID in the target domain, and the old one remains for the history and is written to the specially created attribute SIDHistory. This attribute stores the entire history of the change of security identifiers, it can contain more than one value.

According to Microsoft Best Practices, it is recommended:

  • Keep the RID master and PDC emulator FSMO roles together on one domain controller.
  • If for some reason you’ve lost the RID master server, you can forcefully seize this role on any other domain controller, but remember that after that the original RID master should not appear on the network
  • On the domain controllers log monitor events with EventID 16653-16658. They signalizing about the problems in the work of the RID master.
  • If RID is unavailable, it will not be possible (after a while) to create new objects in AD. The time depends on the remaining number of free SIDs that are issued by packs of 500 pieces.

You can change the RID role owner by using the Active Directory Users and Computers snap-in.

  1. Open ADUC console and connect to the DC to which you want to transfer the role (Change domain controller).
  2. Right click on the root of the domain and select Operations Masters.
    rid_master fsmo role oper master
  3. On the RID tab press Change button.
  4. After that you must confirm the transfer and receive a notification of the successful transfer of the RID role.

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...

Add Your Comment