24 Jan 2013

New features in Active Directory Domain Services in Windows Server 2012, Part 14: RID improvements

Active Directory is a proven technology that has been around since Windows 2000 Server. Some Active Directory environments have been around since that time, while some others have even been around ever longer and started their lives as Windows NT 3.x or Windows NT 4.0 domains. With directory environments growing older, some limits of these environments come into sight.

In Active Directory Domain Services and Active Directory Lightweight Domain Services (or Active Directory Application Mode, ADAM, as we knew it in earlier times) one of the typical limits older environments might face is the maximum size of the RID Pool.

About Relative Identifiers (RIDs)

Relative Identifiers (RIDs) are used in Active Directory Domain Services and Active Directory Lightweight Domain Services to create objects within the namespace of the environment. Under the hood every object has a Security Identifier (SID), consisting of the SID Namespace of the domain and the Relative Identifier (RID):

Anatomy of a SID

Tip!
You can easily find the SID of a currently logged in user with the whoami.exe /user command.

About RID Pools and RID Pool blocks

Active Directory uses a multi-master model. Compared to NT4, you can write to the database on all Domain Controllers. This model requires certain roles to be unique. In Active Directory five roles, named the Flexible Single Master Operations (FSMO) roles are identified. FSMO roles are added to Domain Controllers.

The RID Pool Master FSMO role is one of them. The scope of the RID Pool Master FSMO role is the domain. Domain Controllers communicate with the RID Pool Master to acquire a RID Pool block so they can accommodate object creation in the multi-master model. Since every object in Active Directory has an unique SID, consisting of the Domain SID Namespace and the Relative Identifier (RID) to the namespace, each object creation requires a RID.

The RID Pool depletion challenge

When an Active Directory environment runs out of Relative Identifies (RIDs) , a situation called RID Pool exhaustion or RID Pool depletion occurs. This is a serious problem, since no new objects can be created after the local RID Pool blocks of the Domain Controllers,  are used up.

In an Active Directory domain, 230-1 (1,073,741,823 or roughly 1 billion) RIDs are available, resulting in a maximum of 2 billion objects, including users, computers, groups, domain trusts, fine-grained password policies and Managed Service Accounts (MSAs).

The make things worse, a couple of scenarios have been identified, where RID Pool blocks and thus the RID Pool is used up fast. In these scenarios a RID is taken from a RID Pool block, but is not used to create an object. A prime example is user creation, where the user didn't meet the policies set in the domain. An example of such a policy would be a password policy. Also, when a Domain Controller computer object was deleted and subsequently reanimated or restored, it would ask for a new RID Pool block every 30 seconds because of a missing rIDSetReference attribute and thus depleting the RID Pool in roughly 2 years...

Analyzing remaining RIDs in an environment

To analyze the state of an Active Directory environment, use the following command:

dcdiag /test:ridmanager /v | find /i "Available RID Pool"

The output will show you the used relative identifier compared to the maximum amount of available RIDs in the environment in the following format:

* Available RID Pool for the Domain is 1601 to 1073741823            

What's New

The RID Reuse Pool

Identified scenarios that lead to unusual fast RID Pool depletion have been fixed.

In Windows Server 2012, when RID leaked when object creation fails occurs, the RID is placed in a RID Reuse pool, instead of being leaked. Upon subsequent object creation, a RID is taken from the RID Reuse pool (if any available) instead of from the RID Pool block. Rebooting a Domain Controller clears the RID Reuse Pool.

Periodic RID Pool Consumption Warnings

When an Active Directory environment reaches RID Pool depletion, warnings will appear in the System log of the Domain Controller holding the RID Pool Master FSMO role. These warnings start at 10% depletion and become more frequent as the RID Pool is further depleted. These consumption warnings are found in the form of warnings in the System Log of Domain Controllers with event-id 16658 and source Directory-Services-SAM.

RID Pool Artificial Ceiling Protection

When the Domain Controller holding the RID Pool Master FSMO role has handed out RID Pool blocks corresponding to 90% of the RID Pool, it will stop handing out RIDs and RID Pool blocks. Additionally, at that moment, event-id 16657 with source Directory-Services-SAM is logged. This results in a soft ceiling to prevent full RID Pool depletion. This helps Active Directory admins to avoid further problems, since they will still be able to commission more Windows Server 2012-based Domain Controllers to get rid of Domain Controllers on older versions of Windows Server and/or to create trusts to migrate objects with the Active Directory Migration Tool (ADMT).

Tip!
This is a crucial moment in the life of the Active Directory environment and should trigger a meeting with all Active Directory admins and their managers to decide on the course to follow to keep the Active Directory healthy for a long time. This might be the moment to collapse that multi-resource forest environment or to migrate to a new Active Directory domain.

Domain Admins can override the ceiling by setting the msDS-RIDPoolAllocationEnabled attribute on the RID Manager$ object in the System container of the domain to true. Perform the following steps to achieve this:

  1. Run LDP.exe
  2. Click the Connection menu and click Connect for the Windows Server 2012-based Domain Controller holding the RID Pool Master FSMO role. Use the default port 389. When connected, go back to the Connection menu and click Bind. Bind as a domain administrator.
  3. Click the View menu and click Tree, then for the Base DN select the domain naming context from the drop-down list. Click Ok
  4. In the navigation pane, drill down into the CN=System container and click the CN=RID Manager$ object. Right click it and click Modify
  5. In Edit Entry Attribute, type:
        
         MsDS-RidPoolAllocationEnabled
        
  6. In Values, type (in upper case):
        
         TRUE
        
  7. Select Replace in Operation and click Enter. This updates the Entry List.
  8. Enable the Synchronous option, then click Run.
  9. If successful, the LDP output window shows:

***Call Modify...
ldap_modify_ext_s(ld, 'CN=RID Manager$,CN=System,DC=domain,DC=tld',[1] attrs, SvrCtrls, ClntCtrls);
Modified "CN=RID Manager$,CN=System,DC=<domain>".
     

Upper bound for RID Pool Block Sizes

As you might know, by default, a RID Pool block consists of 500 RIDs. In previous versions of Windows Server, the RID Pool block size could be configured by editing the registry on each Domain Controller. The RID Block Size (REG_DWORD) registry value located in HKLM\System\CurrentControlSet\Services\NTDS\RID Values could be used to that purpose.

in Windows Server 2012, the maximum permissible admin-configured RID block size is 15,000. This means that the RID Pool block size now has a maximum of 15,000 RIDs, independent of the value entered in the registry.

If a value greater than 15,000 is entered, it will use a RID Pool block size of 15,000. Additionally error 16653 with source Directory-Services-SAM will be logged at every boot to inform only RID Pool blocks of 15,000 RIDs are requested from the Domain Controller holding the RID Pool Master FSMO role.

Double the RID Pool

In Windows Server 2012, the 31st bit of the RID Pool can be enabled, enabling organizations to create a billion more objects, in addition to the original billion RIDs. By unlocking the 231 bit increases the RID Pool to 2,147,483,647.

Unlocking the 31st bit of the RID Pool can be achieved by setting sidCompatibilityVersion to 1 using a RootDSE Modification:

  1. Run LDP.exe
  2. Click the Connection menu and click Connect for the Windows Server 2012-based Domain Controller holding the RID Pool Master FSMO role. Use the default port 389. When connected, go back to the Connection menu and click Bind. Bind as a domain administrator.
  3. Click the Browse menu and click Modify
  4. Ensure that DN is blank
  5. In Edit Entry Attribute, type:
        
         SidCompatibilityVersion
        
  6. In Values, type:
        
         1
        
  7. Ensure that Add is selected in Operation and click Enter. This updates the Entry List
  8. Select the Synchronous option, then click Run:
        
    SidCompatibilityVersion
        
  9. If successful, the LDP output window shows:
        
         ***Call Modify...
         ldap_modify_ext_s(Id, '(null)',[1] attrs);
         modified "".
        
  10. When successful, Information event 16655 from source Directory-Services-SAM will be logged once in the System log of the Domain Controller. 

Requirements

For Lifting the RID Pool Artificial Ceiling Protection, the Domain Controller holding the RID Pool Master FSMO Role should be running Windows Server 2012.

Tip!
Since, for Domain Controller Cloning you might have already migrated the Domain Controller holding the PDC Emulator FSMO Role to Windows Server 2012 and KnowledgeBase article 223346 recommends to place the PDCe and RID Pool Master FSMO roles on the same server, this might not be such a harsh requirement.

When you want to enable the 31st bit of the RID Pool to effectively double the available RIDs, all Domain Controllers should be running Windows Server 2012. Previous versions of Windows Server on Domain Controllers should be patched or upgraded.

All the other features are local features to Windows Server 2012 and should be available per Domain Controller when you promote them.

No comments:

Post a Comment