Relative Identifiers (RIDs) are used to uniquely identify each object within a domain. In any Active Directory (AD) domain, each domain controller has the ability to create new objects— users, computers, groups, and so forth. Each of these new objects needs a unique ID number to avoid conflict with other new objects being created at any given time by other domain controllers in the domain.
The unique ID numbers given to each domain object are actually a combination of a domain ID and a RID; RIDs can be duplicated across domains because the combination of domain and RID will always be unique. The uniqueness of the domain ID is ensured by the forest-wide domain naming master.
In order to ensure that domain controllers don't duplicate ID numbers, AD includes a special Flexible Single Master Operations (FSMO) role in each domain, called the RID master. The RID master's job is to allocate each domain controller with a unique range of RIDs. Because all RIDs stem from this single source and the RID master doesn't issue overlapping pools to different domain controllers, each domain controller has a unique range of "spare" ID numbers to use when creating new objects.
As part of its role in ensuring uniqueness for each AD object, the RID master is also responsible for removing the entries for domain objects that are moved to another domain. However, you should note that the RID from the removed object is never reused in the domain.
The unique number assigned to each domain object is called a Security Identifier (SID). A typical SID looks like this:
You can't directly affect the allocation of RIDs except through a few documented workarounds to specific operating system (OS) problems. You can view certain RID attributes directly in AD.
It is possible for a domain controller to use up its allocated RID pool more quickly than it can request a new one. For example, if you're migrating thousands of users to a domain controller that has poor connectivity to the RID master, the domain controller might run out of RIDs. For more information about this problem, see the Microsoft article "RID Pool Allocation and Sizing Changes in Windows 2000 SP4."
AD contains several attributes that contain information about RIDs; these attributes, in fact, are the sources that DisplayRID queries for its output. The major attributes are:
The values of these attributes will differ from domain controller to domain controller.