A few days ago I wrote about how RID Allocation Pools work in Active Directory (see AD Internals: Display RID Allocation Pools)

The article includes a script to dump all RID information for the whole domain. I will be using this script, rIDump.ps1 in this article.

In my test environment I had a problem with the RID Allocation Pool on one of the Domain Controllers. I noticed this because I had some duplicate SID’s in the domain.

So I needed to force this Domain Controller to re-allocate a block of RID’s and I wrote a PowerShell script, rIDAlloc.ps1,  to do that:

Before I go on with the script I will explain how we can force a Domain Controller to re-allocate a RID Pool.

First we need to obtain the Domain SID, we can do this by grabbing the objectSid attribute:

Then we need to write the Domain Sid to a special attribute called invalidateRidPool on the directory root (RootDSE).

After writing this special value, the rIDPreviousAllocationPool value is reset to 0.

Let’s check this with the riDump script!

Before writing the invalidateRidPool attribute (on DC001):

Let’s run the script and select DC001:

The script outputs:

Now we rerun the rIDump script:

In the System EventLog on the Domain Controller the following event will be generated:

Now we have to create a new object, I did that with Active Directory Users & Computers (don’t forget to bind to the Domain Controller you have just resetted) and create any dummy user.

You will get the following error message:

At this point, you can can cancel the creation of the dummy user (nothing has been created yet) because after this error, the Domain Controller has allocated a new RID Pool.

We can verify this with rIDump:

 

Both the rIDump and the rIDAlloc scripts can be downloaded freely from the Denamik website.