Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2008 R2
.jpg)
Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a ___domain prefix identifier that uniquely identifies the ___domain and a relative identifier (RID) that uniquely identifies the security principal within the ___domain. The RID is a monotonically increasing number at the end of the SID.
Each ___domain controller is assigned a pool of RIDs from the global RID pool by the ___domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory ___domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each ___domain controller in its ___domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory ___domain. Newly promoted ___domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing ___domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.
Event Details
| Product: | Windows Operating System |
| ID: | 16644 |
| Source: | SAM |
| Version: | 6.0 |
| Symbolic Name: | SAMMSG_MAX_DOMAIN_RID |
| Message: | The maximum ___domain account identifier value has been reached. No further account-identifier pools can be allocated to ___domain controllers in this ___domain. |
Resolve
Create a new ___domain
The Security Accounts Manager (SAM) cannot create additional accounts in this ___domain because all available relative IDs (RIDs) are used.
You can create a new ___domain in the existing forest to create new accounts. The new ___domain can be either a new ___domain tree or a child ___domain. If you have a large number of deleted accounts, you may choose to migrate all accounts to the new ___domain.
For instructions for creating a new ___domain, see Steps for Installing AD DS (https://go.microsoft.com/fwlink/?LinkId=109265).
For more information on this issue, see Microsoft Knowledge Base article 316201 (https://support.microsoft.com/default.aspx?scid=kb;EN-US;316201).
Verify
When the relative ID (RID) operations master successfully allocates a RID pool (a set of unique identification numbers) to a ___domain controller, the ___domain controller logs Event ID 16648 to Event Viewer. You can also use the dcdiag command to verify the RID master has properly assigned a RID pool to a ___domain controller. To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. To confirm a RID pool assignment to a ___domain controller
- Open a Command Prompt as an administrator on a ___domain controller in the ___domain you want to check. To do so, click Start. In Start Search, type Command Prompt, then right click Command Prompt from the Start Menu and select Run as administrator.
- Run the command **dcdiag /test:ridmanager /v /f:%userprofile%\desktop\**DCname_RIDpool.txt /s:DCname and press ENTER; substitute the name of the ___domain controller you want to test for each DCname in the command. This creates diagnostic files on the Desktop of the current user named for each ___domain controller tested.
- Open the file with Notepad or another text editor. To open the file with Notepad you can type Notepad %userprofile%\desktop\DCname_RIDpool.txt and press ENTER. If you do not have a text editor installed, you can run the command type %userprofile%\Desktop\DCname_RIDpool.txt |moreto view one screen of information at a time and use the SPACEBAR to advance one screen at a time through the file.
Look at the section of the file that reads “Starting test: RidManager.” If the ___domain controller received a RID allocation pool, the line that starts with “*rIDAllocationPool” should display a range of numbers; for example, “*rIDAllocationPool is 1100 to 1599.”