diff --git a/WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md b/WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md
index 94b5d86eb8..e66a782418 100644
--- a/WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md
+++ b/WindowsServerDocs/identity/ad-ds/manage/Managing-RID-Issuance.md
@@ -18,7 +18,7 @@ This article explains the change to the RID master FSMO role, including the new
More information is available at the [AskDS Blog](/archive/blogs/askds/managing-rid-issuance-in-windows-server-2012).
## Managing RID Issuance
-By default, a domain has capacity for roughly one billion security principals, such as users, groups, and computers. Naturally, there are no domains with that many actively used objects. However, Microsoft Customer Support has found cases where:
+A domain has capacity for roughly two billion security principals, such as users, groups, and computers. One billion is allowed by default, but can be extended. Naturally, there are no domains with that many actively used objects. However, Microsoft Customer Support has found cases where:
- Provisioning software or administrative scripts accidentally bulk created users, groups, and computers.
@@ -34,12 +34,12 @@ By default, a domain has capacity for roughly one billion security principals, s
All of these situations use up RIDs unnecessarily, often by mistake. Over many years, a few environments ran out of RIDs and this forced them to migrate to a new domain or perform forest recoveries.
-Windows Server 2012 addresses issues with RID allocation that have only become problematic with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain.
+Active Directory helps tracking issue with RID allocation that have only become problematic with the age and ubiquity of Active Directory. These include better event logging, more appropriate limits, and the ability to - in an emergency - to double the overall size of the global RID space for a domain.
### Periodic Consumption Warnings
-Windows Server 2012 adds global RID space event tracking that provides early warning when major milestones are crossed. The model computes the ten (10) percent used mark in the global pool and logs an event when reached. Then it computes the next ten percent used of the remaining and the event cycle continues. As the global RID space is exhausted, events will accelerate as ten percent hits faster in a decreasing pool (but event log dampening will prevent more than one entry per hour). The System event log on every domain controller writes Directory-Services-SAM warning event 16658.
+There is a global RID space event tracking that provides early warning when major milestones are crossed. The model computes the ten (10) percent used mark in the global pool and logs an event when reached. Then it computes the next ten percent used of the remaining and the event cycle continues. As the global RID space is exhausted, events will accelerate as ten percent hits faster in a decreasing pool (but event log dampening will prevent more than one entry per hour). The System event log on every domain controller writes Directory-Services-SAM warning event 16658.
-Assuming a default 30-bit global RID space, the first event logs when allocating the pool containing the 107,374,182nd RID. The event rate accelerates naturally until the last checkpoint of 100,000, with 110 events generated in total. The behavior is similar for an unlocked 31-bit global RID space: starting at 214,748,365 and completing in 117 events.
+By default there is a 30-bit global RID space, the first event logs when allocating the pool containing the 107,374,182nd RID. The event rate accelerates naturally until the last checkpoint of 100,000, with 110 events generated in total. The behavior is similar for an unlocked 31-bit global RID space: starting at 214,748,365 and completing in 117 events.
> [!IMPORTANT]
> This event is not expected; investigate the user, computer, and group creation processes immediately in the domain. Creating more than 100 million AD DS objects is quite out of the ordinary.
@@ -50,7 +50,7 @@ Assuming a default 30-bit global RID space, the first event logs when allocating
There are new event alerts that a local DC RID pool was discarded. These are Informational and could be expected, especially due to the new VDC functionality. See the event list below for details on the event.
### RID Block Size Limit
-Ordinarily, a domain controller requests RID allocations in blocks of 500 RIDs at one time. You can override this default using the following registry REG_DWORD value on a domain controller:
+By default domain controller requests RID allocations in blocks of 500 RIDs at one time. You can override this default using the following registry REG_DWORD value on a domain controller:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values
@@ -58,14 +58,10 @@ RID Block Size
```
-Prior to Windows Server 2012, there was no maximum value enforced in that registry key, except the implicit DWORD maximum (which has a value of 0xffffffff or 4294967295). This value is considerably larger than the total global RID space. Administrators sometimes inappropriately or accidentally configured RID Block Size with values that exhausted the global RID at a massive rate.
-
-In Windows Server 2012, you can't set this registry value higher than 15,000 decimal (0x3A98 hexadecimal). This prevents massive unintended RID allocation.
-
-If you set the value *higher* than 15,000, the value is treated as 15,000 and the domain controller logs event 16653 in the Directory Services event log at every reboot until the value is corrected.
+You can't set this registry value higher than 15,000 decimal (0x3A98 hexadecimal). This prevents massive unintended RID allocation. If you set the value *higher* than 15,000, the value is treated as 15,000 and the domain controller logs event 16653 in the Directory Services event log at every reboot until the value is corrected. The registry setting is used on the RID Master of the domain, and only read when the Directory Service starts. That happens while booting the Domain Controller.
### Global RID Space Size Unlock
-Prior to Windows Server 2012, the global RID space was limited to 230 (or 1,073,741,823) total RIDs. Once reached, only a domain migration or forest recovery to an older timeframe allowed new SIDs creation - disaster recovery, by any measure. Starting in Windows Server 2012, the 231 bit can be unlocked in order to increase the global pool to 2,147,483,648 RIDs.
+The global RID space is limited to 230 (or 1,073,741,823) total RIDs by default. Once reached, only a domain migration or forest recovery to an older timeframe allowed new SIDs creation - disaster recovery, by any measure. The 231 bit can be unlocked in order to increase the global pool to 2,147,483,648 RIDs.
AD DS stores this setting in a special hidden attribute named **SidCompatibilityVersion** on the RootDSE context of all domain controllers. This attribute isn't readable using ADSIEdit, LDP, or other tools. To see an increase in the global RID space, examine the System event log for warning event 16655 from Directory-Services-SAM or use the following Dcdiag command:
@@ -79,15 +75,10 @@ If you increase the global RID pool, the available pool will change to 2,147,483
> [!WARNING]
-> This unlock is intended *only* to prevent running out of RIDS and is to be used *only* in conjunction with RID Ceiling Enforcement (see next section). Do not "preemptively" set this in environments that have millions of remaining RIDs and low growth, as application compatibility issues potentially exist with SIDs generated from the unlocked RID pool.
+> This unlock is intended *only* to prevent running out of RIDs and is to be used *only* in conjunction with RID Ceiling Enforcement (see next section). Do not "preemptively" set this in environments that have millions of remaining RIDs and low growth, as application compatibility issues potentially exist with SIDs generated from the unlocked RID pool.
>
> This unlock operation cannot be reverted or removed, except by a complete forest recovery to earlier backups.
-#### Important Caveats
-Windows Server 2003 and Windows Server 2008 Domain Controllers can't issue RIDs when the global RID pool 31st bit is unlocked. Windows Server 2008 R2 domain controllers *can* use 31st bit RIDs *but only if* they have hotfix [KB 2642658](https://support.microsoft.com/kb/2642658) installed. Unsupported and unpatched domain controllers treat the global RID pool as exhausted when unlocked.
-
-This feature isn't enforced by any domain functional level; take great care that only Windows Server 2012 or updated Windows Server 2008 R2 domain controllers exist in the domain.
-
#### Implementing Unlocked Global RID space
To unlock the RID pool to the 31st bit after receiving the RID ceiling alert (see below) perform the following steps:
@@ -107,19 +98,19 @@ To unlock the RID pool to the 31st bit after receiving the RID ceilin
SidCompatibilityVersion
```
-1. In **Values**, type:
+7. In **Values**, type:
```
1
```
-2. Ensure that **Add** is selected in **Operation** and select **Enter**. This updates the **Entry List**.
+8. Ensure that **Add** is selected in **Operation** and select **Enter**. This updates the **Entry List**.
-3. Select the **Synchronous** and **Extended** options, then select **Run**.
+9. Select the **Synchronous** and **Extended** options, then select **Run**.
-4. If successful, the LDP output window shows:
+10. If successful, the LDP output window shows:
```
***Call Modify...
@@ -127,13 +118,10 @@ To unlock the RID pool to the 31st bit after receiving the RID ceilin
modified "".
```
-
- 
-
-5. Confirm the global RID pool increased by examining the System Event Log on that domain controller for Directory-Services-SAM Informational event 16655.
+11. Confirm the global RID pool increased by examining the System Event Log on that domain controller for Directory-Services-SAM Informational event 16655.
### RID Ceiling Enforcement
-To afford a measure of protection and elevate administrative awareness, Windows Server 2012 introduces an artificial ceiling on the global RID range at ten (10) percent remaining RIDs in the global space. When within one (1) percent of the artificial ceiling, domain controllers requesting RID pools write Directory-Services-SAM warning event 16656 to their System event log. When reaching the ten percent ceiling on the RID Master FSMO, it writes Directory-Services-SAM event 16657 to its System event log and won't allocate any further RID pools until overriding the ceiling. This forces you to assess the state of the RID master in the domain and address potential runaway RID allocation; this also protects domains from exhausting the entire RID space.
+To afford a measure of protection and elevate administrative awareness, Active Directory has an artificial ceiling on the global RID range at ten (10) percent remaining RIDs in the global space. When within one (1) percent of the artificial ceiling, domain controllers requesting RID pools write Directory-Services-SAM warning event 16656 to their System event log. When reaching the ten percent ceiling on the RID Master FSMO, it writes Directory-Services-SAM event 16657 to its System event log and won't allocate any further RID pools until overriding the ceiling. This forces you to assess the state of the RID master in the domain and address potential runaway RID allocation; this also protects domains from exhausting the entire RID space.
This ceiling is hard-coded at ten percent remaining of the available RID space. That is, the ceiling activates when the RID master allocates a pool that includes the RID corresponding to ninety (90) percent of the global RID space.
@@ -152,35 +140,33 @@ To remove the block and allow RID pool allocation to continue, set that value to
#### Removing the Ceiling Block
To remove the block once reaching the artificial ceiling, perform the following steps:
-1. Ensure that the RID Master role is running on a Windows Server 2012 domain controller. If not, transfer it to a Windows Server 2012 domain controller.
+1. Run LDP.exe.
-2. Run LDP.exe.
+2. Select the **Connection** menu and select *Connect* for the Windows Server 2012 RID Master on port 389, and then select **Bind** as a domain administrator.
-3. Select the **Connection** menu and select *Connect* for the Windows Server 2012 RID Master on port 389, and then select **Bind** as a domain administrator.
+3. Select the **View** menu and select **Tree**, then for the **Base DN** select the RID Master's own domain naming context. Select **Ok**.
-4. Select the **View** menu and select **Tree**, then for the **Base DN** select the RID Master's own domain naming context. Select **Ok**.
+4. In the navigation pane, drill down into the **CN=System** container and select the **CN=RID Manager$** object. Right select it and select **Modify**.
-5. In the navigation pane, drill down into the **CN=System** container and select the **CN=RID Manager$** object. Right select it and select **Modify**.
-
-6. In Edit Entry Attribute, type:
+5. In Edit Entry Attribute, type:
```
MsDS-RidPoolAllocationEnabled
```
-7. In **Values**, type (in upper case):
+6. In **Values**, type (in upper case):
```
TRUE
```
-8. Select **Replace** in **Operation** and select **Enter**. This updates the **Entry List**.
+7. Select **Replace** in **Operation** and select **Enter**. This updates the **Entry List**.
-9. Enable the **Synchronous** and **Extended** options, then select **Run**:
+8. Enable the **Synchronous** and **Extended** options, then select **Run**:
-10. If successful, the LDP output window shows:
+9. If successful, the LDP output window shows:
```
***Call Modify...
@@ -189,17 +175,6 @@ To remove the block once reaching the artificial ceiling, perform the following
```
- 
-
-### Other RID Fixes
-Previous Windows Server operating systems had a RID pool leak when missing rIDSetReferences attribute. To resolve this problem on domain controllers that run Windows Server 2008 R2, install the hotfix from [KB 2618669](https://support.microsoft.com/kb/2618669).
-
-### Unfixed RID Issues
-There has historically been a RID leak on account creation failure; when creating an account, failure still uses up a RID. The common example is to create a user with a password that doesn't meet complexity.
-
-### RID Fixes for earlier versions of Windows Server
-All of the fixes and changes above have Windows Server 2008 R2 hotfixes released. There are currently no Windows Server 2008 hotfixes planned or in progress.
-
## Troubleshooting RID Issuance
### Introduction to Troubleshooting
@@ -210,7 +185,7 @@ RID issuance troubleshooting requires a logical and linear method. Unless you're
### Troubleshooting Options
#### Logging Options
-All logging in RID issuance occurs in the System Event log, under source Directory-Services-SAM. Logging is enabled and configured for maximum verbosity, by default. If no entries are logged for the new component changes in Windows Server 2012, treat the issue as a classic (aka legacy, pre-Windows Server 2012) RID issuance problem seen in Windows 2008 R2 or older operating systems.
+All logging in RID issuance occurs in the System Event log, under source Directory-Services-SAM. Logging is enabled and configured for maximum verbosity, by default.
#### Utilities and Commands for Troubleshooting
To troubleshoot issues not explained by the aforementioned logs - especially older RID issuance issues - use the following list of tools as a starting point:
@@ -219,7 +194,7 @@ To troubleshoot issues not explained by the aforementioned logs - especially old
- Repadmin.exe
-- Network Monitor 3.4
+- NetSH network packet tracing
### General Methodology for Troubleshooting Domain Controller Configuration
@@ -233,11 +208,11 @@ To troubleshoot issues not explained by the aforementioned logs - especially old
3. Does the error returned specifically mention RIDs but is otherwise nonspecific? For example, "Windows can't create the object because the Directory Service was unable to allocate a relative identifier."
- 1. Examine the System Event log on the domain controller for "legacy" (pre-Windows Server 2012) RID events detailed in [RID Pool Request](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee406152(v=ws.10)) (16642, 16643, 16644, 16645, 16656).
-
- 2. Examine the System Event on the domain controller and the RID Master for new block-indicating events detailed below in this article (16655, 16656, 16657).
+ 1. Examine the System Event on the domain controller and the RID Master for block-indicating events detailed below in this article (16655, 16656, 16657).
- 3. Validate Active Directory replication health with Repadmin.exe and RID Master availability with **Dcdiag.exe /test:ridmanager /v**. Enable double-sided network captures between the domain controller and the RID Master if these tests are inconclusive.
+ 2. Validate Active Directory replication health with Repadmin.exe and RID Master availability with **Dcdiag.exe /test:ridmanager /v**.
+
+ 3. Enable double-sided network captures between the domain controller and the RID Master if these tests are inconclusive.
### Troubleshooting Specific Problems