In environments with a high rate of object creation or even during the process of migrating a large group of users,...
you may encounter the problem of being unable to create new objects in Active Directory. In most cases, the problem is simply a matter of the domain controller's running out of RIDs.
A RID or relative identifier is part of the unique security ID (SID) assigned to every object within the AD domain. The SID is created by combining an object's RID with the domain's own unique identification number. Since every domain controller in a Windows 2000 or Windows 2003 based AD domain can create new objects, the potential exists for two domain controllers to create objects with the same SID. So, to eliminate this potential, each domain controller is given a small range of RIDs to assign to new objects. The RID master (one of the FSMO AD roles) distributes the RIDs. When a DC uses all the RIDs in its current allotment, it requests a new RID set from the RID master.
If a DC attempts to create a new object before it receives the new RID set, the object will not be created. This produces an error, which is recorded in the Directory Services event log with an event ID of 16645. When this error appears in the event log, or you find yourself unable to create new objects, you need to resolve the issue. Here are some steps:
- Make sure the RID master is online and accessible. Use the Active Directory Users and Computers console to discover which DC is hosting the RID master FSMO role. Right click over the domain name from the console and select Operations Masters. Then select the RID master tab. Ping this server and attempt to connect to any share resource it offers to ensure communications.
- Test new object creation from another DC. If other DCs can create objects, then the problem is only with the initial DC. If no DCs can create objects, you may need to seize the RID master role.
- If a DC runs out of RIDs, it must request a new RID set from the RID master. There is no manual means to force this activity. So, you must wait for the DC to perform this operation on its own.
You can help avoid the problem in the future by increasing the size of the RID set. To do so, edit the Registry on the RID master DC. Change the RID Block Size entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values key. The minimum value is 500. Any assigned value to this entry between 0 and 500 will be treated as 500 by the system.
By default, Pre-SP4 Windows 2000 DCs are configured to request a new RID set when their current set is depleted by 80 percent. SP4 changed this value to 50 percent. Windows Server 2003 systems request new RID sets at 50 percent consumption. Microsoft documentation lists no means by which to alter the consumption percentage.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.