How are Relative Identifiers allocated?

Relative Identifiers (RIDs) are used to uniquely identify each object within a domain. In any Active Directory (AD) domain, each domain controller has the ability to create new objects— users, computers, groups, and so forth. Each of these new objects needs a unique ID number to avoid conflict with other new objects being created at any given time by other domain controllers in the domain.

The unique ID numbers given to each domain object are actually a combination of a domain ID and a RID; RIDs can be duplicated across domains because the combination of domain and RID will always be unique. The uniqueness of the domain ID is ensured by the forest-wide domain naming master.

The RID Master

In order to ensure that domain controllers don't duplicate ID numbers, AD includes a special Flexible Single Master Operations (FSMO) role in each domain, called the RID master. The RID master's job is to allocate each domain controller with a unique range of RIDs. Because all RIDs stem from this single source and the RID master doesn't issue overlapping pools to different domain controllers, each domain controller has a unique range of "spare" ID numbers to use when creating new objects.

As part of its role in ensuring uniqueness for each AD object, the RID master is also responsible for removing the entries for domain objects that are moved to another domain. However, you should note that the RID from the removed object is never reused in the domain.

SID Construction

The unique number assigned to each domain object is called a Security Identifier (SID). A typical SID looks like this:

S-1-5-21-917267712-1342860078-1792151419-500

  • S designates this identifier as a SID
  • 1 indicates the revision level of the SID construction scheme
  • 5 represents the identifier authority
  • Everything else is the SID itself; the combination of domain ID and RID.

RID Management

You can't directly affect the allocation of RIDs except through a few documented workarounds to specific operating system (OS) problems. You can view certain RID attributes directly in AD.

It is possible for a domain controller to use up its allocated RID pool more quickly than it can request a new one. For example, if you're migrating thousands of users to a domain controller that has poor connectivity to the RID master, the domain controller might run out of RIDs. For more information about this problem, see the Microsoft article "RID Pool Allocation and Sizing Changes in Windows 2000 SP4."

AD contains several attributes that contain information about RIDs; these attributes, in fact, are the sources that DisplayRID queries for its output. The major attributes are:

  • FsmoRoleOwner—Contains the fully qualified domain name of the current holder of the RID master role.
  • RidAvailablePool—Defines the number of security principals that the domain can contain (a fixed value currently just over 1 billion), and the number of RIDs that have been allocated already.
  • RidAllocationPool—Defines the current pool for a domain controller, and its next pool.
  • RidNextRid—The next RID that will be used on the domain controller.
  • RidPreviousAllocationPool—The current pool of RIDs used to create new SIDs; this value includes the value of RidNextRid.
  • RidUsedPool and NextRid—Unused attributes that are still defined in AD.

The values of these attributes will differ from domain controller to domain controller.