The RID master (Relative Identifier) is one of three FSMO domain-level roles, i.e. each domain must have one domain controller which owns this role. A domain controller with the RID Master role is responsible for allocating a unique RID sequence to each domain controller in its domain, as well as for the correctness of moving objects from one domain to another. In other words, this role is responsible for providing all Active Directory users, computers and groups with a unique SID (Security Identifier) that identifies a user, group, domain or computer account.
When Administrator creates a new object in Active Directory (new security principle), it is assigned a unique Secure Identifier (SID). SID of the new object is composed of domain SID and relative ID (RID), which is allocated from the RID pool of the current domain controller.
The RID master is responsible for issuing these unique domain identifiers. Relative identifiers are issued to each controller in the domain by pools of 500 pieces at a time (by default). If necessary, the number of RIDs issued and the request threshold can be changed. If there are less than 50% of the identifiers left in the pool, the DC with the owner of RID master role replenishes it.
For example, display a list containing SID of all domain users:
get-aduser –filter *|fl sid
Using the Dcdiag command, you can view the status of the RID master:
Dcdiag.exe /TEST:RidManager /v
You can also view the current range of identifiers for current DC. By the way, on the other domain controllers the pool will differ (because each controller in the domain is given a unique pool).
Starting test: RidManager
* Available RID Pool for the Domain is 3101 to 1073741823
* dc01.domain.loc is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2601 to 3100
* rIDPreviousAllocationPool is 1101 to 1600
* rIDNextRID: 1436
Another zone of responsibility for RID Master – moving objects between domains. RID Master ensures that you can’t simultaneously move one object to two different domains. Otherwise, there is a situation where two domains with two identical objects with the same GUID, which is fraught with the most unexpected consequences.
When a security object moves from one domain to another, it assigns a new SID in the target domain, and the old one remains for the history and is written to the specially created attribute SIDHistory. This attribute stores the entire history of the change of security identifiers, it can contain more than one value.
According to Microsoft Best Practices, it is recommended:
- Keep the RID master and PDC emulator FSMO roles together on one domain controller.
- If for some reason you’ve lost the RID master server, you can forcefully seize this role on any other domain controller, but remember that after that the original RID master should not appear on the network
- On the domain controllers log monitor events with EventID 16653-16658. They signalizing about the problems in the work of the RID master.
- If RID is unavailable, it will not be possible (after a while) to create new objects in AD. The time depends on the remaining number of free SIDs that are issued by packs of 500 pieces.
You can change the RID role owner by using the Active Directory Users and Computers snap-in.
- Open ADUC console and connect to the DC to which you want to transfer the role (Change domain controller).
- Right click on the root of the domain and select Operations Masters.
- On the RID tab press Change button.
- After that you must confirm the transfer and receive a notification of the successful transfer of the RID role.