Revise RID Issuance Management details for clarity#8122
Revise RID Issuance Management details for clarity#8122HerbertMauerer wants to merge 1 commit intoMicrosoftDocs:mainfrom
Conversation
remove all outdated versions, this is all default windows behavior now.
HerbertMauerer
requested review from
robinharwood
and removed request for
a team
|
@HerbertMauerer : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
bot
added
ad-ds/subsvc
Change sent to author
windows-server/svc
labels
|
Learn Build status updates of commit 10a612d: ✅ Validation status: passed
For more details, please refer to the build report. |
PRMerger Results
|
There was a problem hiding this comment.
Pull request overview
This PR updates the “Managing RID Issuance” documentation to remove older-version-specific guidance and to restate RID issuance behavior as default Active Directory/Windows behavior, with some wording and troubleshooting updates.
Changes:
- Rephrases several sections to be version-agnostic and removes legacy OS/hotfix caveats.
- Updates guidance around RID space thresholds, registry limits, and ceiling enforcement text.
- Refreshes troubleshooting tooling references (e.g., replacing Network Monitor 3.4 with NetSH packet tracing).
Comments suppressed due to low confidence (7)
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:42
- Run-on sentence in this paragraph (“By default there is a 30-bit global RID space, the first event…”). Split into separate sentences and add missing punctuation for readability.
By default there is a 30-bit global RID space, the first event logs when allocating the pool containing the 107,374,182<sup>nd</sup> RID. The event rate accelerates naturally until the last checkpoint of 100,000, with 110 events generated in total. The behavior is similar for an unlocked 31-bit global RID space: starting at 214,748,365 and completing in 117 events.
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:64
- Grammar issue: “allowed new SIDs creation” should be rephrased (e.g., “allowed new SIDs to be created”).
The global RID space is limited to 2<sup>30</sup> (or 1,073,741,823) total RIDs by default. Once reached, only a domain migration or forest recovery to an older timeframe allowed new SIDs creation - disaster recovery, by any measure. The 2<sup>31</sup> bit can be unlocked in order to increase the global pool to 2,147,483,648 RIDs.
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:147
- UI label casing is inconsistent with other docs in this section: use OK instead of Ok (e.g., WindowsServerDocs/identity/ad-ds/manage/replication-priority-boost.md uses “Select OK.”).
3. Select the **View** menu and select **Tree**, then for the **Base DN** select the RID Master's own domain naming context. Select **Ok**.
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:149
- Wording is incorrect for the UI action: “Right select it” should be “right-click it” (or equivalent).
4. In the navigation pane, drill down into the **CN=System** container and select the **CN=RID Manager$** object. Right select it and select **Modify**.
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:211
- Missing word reduces clarity: “Examine the System Event…” should be “Examine the System event log…”.
1. Examine the System Event on the domain controller and the RID Master for block-indicating events detailed below in this article (16655, 16656, 16657).
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:40
- Awkward/incorrect phrasing: “There is a global RID space event tracking…” should be reworded to a clearer subject (e.g., “Global RID space event tracking provides…”).
There is a global RID space event tracking that provides early warning when major milestones are crossed. The model computes the ten (10) percent used mark in the global pool and logs an event when reached. Then it computes the next ten percent used of the remaining and the event cycle continues. As the global RID space is exhausted, events will accelerate as ten percent hits faster in a decreasing pool (but event log dampening will prevent more than one entry per hour). The System event log on every domain controller writes Directory-Services-SAM warning event 16658.
WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md:53
- Missing article and punctuation: “By default domain controller requests…” should be “By default, a domain controller requests…”.
By default domain controller requests RID allocations in blocks of 500 RIDs at one time. You can override this default using the following registry REG_DWORD value on a domain controller:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ## <a name="BKMK_Manage"></a>Managing RID Issuance | ||
| By default, a domain has capacity for roughly one billion security principals, such as users, groups, and computers. Naturally, there are no domains with that many actively used objects. However, Microsoft Customer Support has found cases where: | ||
| A domain has capacity for roughly two billion security principals, such as users, groups, and computers. One billion is allowed by default, but can be extended. Naturally, there are no domains with that many actively used objects. However, Microsoft Customer Support has found cases where: |
There was a problem hiding this comment.
The opening description is confusing: it starts with the maximum (~2.1B) but then says 1B is the default. Consider leading with the default (~1.07B / 2^30-1) and then mentioning the optional unlock to ~2.1B (2^31) for clarity and consistency with later sections.
| A domain has capacity for roughly two billion security principals, such as users, groups, and computers. One billion is allowed by default, but can be extended. Naturally, there are no domains with that many actively used objects. However, Microsoft Customer Support has found cases where: | |
| By default, a domain has capacity for approximately one billion security principals, such as users, groups, and computers. In an emergency, this can be doubled to approximately two billion security principals. Naturally, there are no domains with that many actively used objects. However, Microsoft Customer Support has found cases where: |
| In Windows Server 2012, you can't set this registry value higher than 15,000 decimal (0x3A98 hexadecimal). This prevents massive unintended RID allocation. | ||
|
|
||
| If you set the value *higher* than 15,000, the value is treated as 15,000 and the domain controller logs event 16653 in the Directory Services event log at every reboot until the value is corrected. | ||
| You can't set this registry value higher than 15,000 decimal (0x3A98 hexadecimal). This prevents massive unintended RID allocation. If you set the value *higher* than 15,000, the value is treated as 15,000 and the domain controller logs event 16653 in the Directory Services event log at every reboot until the value is corrected. The registry setting is used on the RID Master of the domain, and only read when the Directory Service starts. That happens while booting the Domain Controller. |
There was a problem hiding this comment.
This paragraph says the RID Block Size override is set “on a domain controller”, but later states “The registry setting is used on the RID Master of the domain” (implying other DCs don’t use it). Please clarify which DC(s) actually read/apply this value to avoid conflicting guidance.
| All of these situations use up RIDs unnecessarily, often by mistake. Over many years, a few environments ran out of RIDs and this forced them to migrate to a new domain or perform forest recoveries. | ||
|
|
||
| Windows Server 2012 addresses issues with RID allocation that have only become problematic with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain. | ||
| Active Directory helps tracking issue with RID allocation that have only become problematic with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain. |
There was a problem hiding this comment.
Grammar issue: “helps tracking issue” should be rephrased (e.g., “helps track issues” / “provides improvements for RID allocation issues”).
| Active Directory helps tracking issue with RID allocation that have only become problematic with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain. | |
| Active Directory helps track issues with RID allocation that have only become problematic with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain. |
| 1. Run LDP.exe. | ||
|
|
||
| 2. Run LDP.exe. | ||
| 2. Select the **Connection** menu and select *Connect* for the Windows Server 2012 RID Master on port 389, and then select **Bind** as a domain administrator. |
There was a problem hiding this comment.
This step still calls out “Windows Server 2012” specifically (“Windows Server 2012 RID Master”), which conflicts with the PR goal of removing outdated-version references. Consider making this version-agnostic (e.g., “the RID Master domain controller”).
|
#assign: @robinharwood, @dknappettmsft Can you review the proposed changes? #label:"aq-pr-triaged" @MicrosoftDocs/public-repo-pr-review-team |
|
Users robinharwood are already assigned. |
prmerger-automator
bot
added
the
aq-pr-triaged
remove all outdated versions, this is all default windows behavior now.