Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2008 R2
Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a ___domain prefix identifier that uniquely identifies the ___domain and a relative identifier (RID) that uniquely identifies the security principal within the ___domain. The RID is a monotonically increasing number at the end of the SID.
Each ___domain controller is assigned a pool of RIDs from the global RID pool by the ___domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory ___domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each ___domain controller in its ___domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory ___domain. Newly promoted ___domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing ___domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.
Events
| Event ID | Source | Message |
|---|---|---|
SAM |
The account-identifier allocator was unable to assign a new identifier. The identifier pool for this ___domain controller may have been depleted. If this problem persists, restart the ___domain controller and view the initialization status of the allocator in the event log. | |
SAM |
An initial account-identifier pool has not yet been allocated to this ___domain controller. A possible reason for this is that the ___domain controller has been unable to contact the RID master ___domain controller, possibly due to connectivity or network problems. Account creation will fail on this ___domain controller until the pool is obtained. | |
SAM |
The maximum ___domain account identifier value has been reached. No further account-identifier pools can be allocated to ___domain controllers in this ___domain. | |
SAM |
The maximum account identifier allocated to this ___domain controller has been assigned. The ___domain controller has failed to obtain a new identifier pool. A possible reason for this is that the ___domain controller has been unable to contact the RID master ___domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the ___domain, or the RID master ___domain controller may be offline or missing from the ___domain. Verify that the RID master ___domain controller is running and connected to the ___domain. | |
SAM |
The computed account identifier is not valid because it is out of the range of the current account-identifier pool belonging to this ___domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this ___domain controller. This will make the ___domain controller acquire a fresh account identifier pool. | |
SAM |
The ___domain controller is starting a request for a new account-identifier pool. | |
SAM |
The request for a new account-identifier pool has completed successfully. | |
SAM |
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 " |