Event ID 16645 — RID Pool Request

Applies To: Windows Server 2008 R2

Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID.

Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.

Event Details

Resolve

Check connectivity to the RID master, and check its replication status

A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controller can communicate with the domain controller that is identified as the RID operations master. Ensure that the RID master is online and replicating to other domain controllers. Perform the following procedure using the computer that is logging the event to be resolved.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To determine which domain controller is the RID master:

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. In the console tree, right-click the domain object, and then click Operations Masters.
3. On the RID tab, note the name of the computer that is identified as the Operations master.
4. Click Start, click Run, type \\RIDcomputer\sysvol, and then click OK. (Substitute the name of the computer that is identified as the RID master for RIDcomputer.) If a connection opens to the computer, the local computer can connect to the domain controller that holds the RID operations master role.

If you determine that the local computer is not able to communicate with the computer that is identified as the RID master, check network connectivity to other computers. Check for other events in the local computer's Event Viewer that might indicate network connectivity issues. Check the domain controller that is identified as the RID operations master to see if that computer has network connectivity issues or replication issues that are logged in Event Viewer. At a command prompt, you can use the repadmin and dcdiag commands to further test the RID master functionality:

repadmin /showrepldcdiag /test:ridmanager /v

For more information about resolving Active Directory replication issues, see Troubleshooting Active Directory Replication Problems (https://go.microsoft.com/fwlink/?LinkId=86949).

When the relative ID (RID) operations master successfully allocates a RID pool (a set of unique identification numbers) to a domain controller, the domain controller logs Event ID 16648 to Event Viewer. In addition to checking for Event ID 16648, you can verify that a new RID pool is available to a specific domain controller by creating a new account using that domain controller. Perform the following procedures using the computer that is logging the event to be resolved.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Create an account using Active Directory Users and ComputersTo create an account using Active Directory Users and Computers:

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. In the console tree, expand the hierarchy of objects as necessary.Right-click the container in which you want to create the new account, click New, and then click the account type that you want to create (for example, Computer, Contact, Group, or User). Fill in all the required fields (and any of the appropriate optional fields) in the dialog box that appears for the specific type of account that you select. If you select one of the following account types: User or InetOrgPerson, an additional dialog box opens. Click Next to go to the next dialog box, and then fill in the appropriate information.
3. When you have filled out all the appropriate information and you are ready to create the account, click OK. If you created this account for testing purposes, you can delete the account.

Delete an account using Active Directory Users and Computers

To delete an account using Active Directory Users and Computers:

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.
2. In the console tree, expand the hierarchy of objects as necessary.
3. Right-click the account that you want to remove, and then click Delete.
4. Click OK to confirm the deletion of the account.

Verify

When the relative ID (RID) operations master successfully allocates a RID pool (a set of unique identification numbers) to a domain controller, the domain controller logs Event ID 16648 to Event Viewer. You can also use the dcdiag command to verify the RID master has properly assigned a RID pool to a domain controller. To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. To confirm a RID pool assignment to a domain controller 

1. Open a Command Prompt as an administrator on a domain controller in the domain you want to check. To do so, click Start. In Start Search, type Command Prompt, then right click Command Prompt from the Start Menu and select Run as administrator. 
2. Run the command **dcdiag /test:ridmanager /v /f:%userprofile%\desktop\**DCname_RIDpool.txt /s:DCname and press ENTER; substitute the name of the domain controller you want to test for each DCname in the command. This creates diagnostic files on the Desktop of the current user named for each domain controller tested.
3. Open the file with Notepad or another text editor. To open the file with Notepad you can type Notepad %userprofile%\desktop\DCname_RIDpool.txt and press ENTER. If you do not have a text editor installed, you can run the command type %userprofile%\Desktop\DCname_RIDpool.txt |moreto view one screen of information at a time and use the SPACEBAR to advance one screen at a time through the file.

Look at the section of the file that reads “Starting test: RidManager.” If the domain controller received a RID allocation pool, the line that starts with “*rIDAllocationPool” should display a range of numbers; for example, “*rIDAllocationPool is 1100 to 1599.”

Related Management Information

RID Pool Request

Active Directory