Active Directory and relative identifiers

Posted on By Mark Wilson

Last night, I wrote a post about how a little logical thinking was required in order to resolve some issues with the dcdiag.exe utility from the Windows Server 2003 Support Tools.

Since then, I’ve been examining the dcdiag test results and was a little alarmed to find that two of the domain controllers (DCs) for the domain that I intend to migrate several hundred users into were reporting a lack of available RIDs:

Starting test: RidManager
   * Available RID Pool for the Domain is 17352 to 1073741823
   * domaincontrollername.domainname.tld is the RID Master
   * DsBind with RID Master was successful
   * rIDAllocationPool is 14352 to 14851
   * rIDPreviousAllocationPool is 12352 to 12851
   * rIDNextRID: 12849
   * Warning :There is less than 1% available RIDs in the current pool
   ……………………. domaincontrollername passed test RidManager

For anyone who doesn’t appreciate the potential significance of this, relative identifiers (RIDs) are necessary in order to create new Active Directory objects.  Because Active Directory uses a multi-master model, any DC can create an object, which is then replicated between the various DCs in the organisation.  Objects are actually identified by their SID, part of which includes the domain identifier, and part of which is the RID.  In order to maintain uniqueness, the generation and allocation of RIDs is controlled by the DC holding the RID Master role for the domain, allocating pools of 500 (by default) RIDs to DCs for use when generating the SIDs for new objects.  Still with me?  Microsoft knowledge base article 305475 has more details.

Active Directory DCs (at Windows 2000 SP4 and later revisions) request a new RID pool from the RID master once the pool is 50% depleted, so 1% of available RIDs concerned me somewhat.  Other tests had confirmed that replication was working, and switching the RID Master role to another DC didn’t appear to make any change.  I also checked to see that there were no duplicate SIDs in the domain.  As it happens, everything was working normally but the labels, and the warning, are very confusing. This is what I found:

  • rIDPreviousAllocationPool is not, as the name suggests, the last pool that was used – it’s actually the RID pool that is currently being used.   So, in the example above, 12352 to 12851 is the list of RIDs currently being allocated. When this becomes exhausted (rIDNextRID gives an indication of how soon this will occur), Windows copies rIDAllocationPool into rIDPreviousAllocationPool and starts using the new RIDs as needed. There is a global RID pool size limit that the RID Master can allocate from (the Available RID Pool).
  • rIDAllocationPool is the next batch of RIDs to be used (supplied by the RID Master).  In this case, 14352 to 14851 will be the next batch of RID numbers (500 in the pool) for this DC.  This is generated automatically via a request to the RID Master once the pool is 50% depleted.
  • rIDNextRID is the last RID allocated (not the next one to be allocated).  So the next object to get created in the example above will get RID 12850.

I tested this by creating some new users and running further tests with dcdiag.exe, observing the DC reach the end of the pool and then start using the next pool (originally called rIDAllocationPool):

Starting test: RidManager
   * Available RID Pool for the Domain is 17352 to 1073741823
   * domaincontrollername.domainname.tld is the RID Master
   * DsBind with RID Master was successful
   * rIDAllocationPool is 14352 to 14851
   * rIDPreviousAllocationPool is 12352 to 12851
   * rIDNextRID: 12851
   * Warning :There is less than 0% available RIDs in the current pool
   ……………………. domaincontrollername passed test RidManager

Starting test: RidManager
   * Available RID Pool for the Domain is 17352 to 1073741823 
   * domaincontrollername.domainname.tld is the RID Master 
   * DsBind with RID Master was successful
   * rIDAllocationPool is 14352 to 14851
   * rIDPreviousAllocationPool is 14352 to 14851
   * rIDNextRID: 14352
   ……………………. domaincontrollername passed test RidManager

Once I have created another 249 or so users, I should see a new rIDAllocationPool generated.

Screenshot showing the RID as part of a SID in the additional account informationJust to be sure that I understood this fully, I installed acctinfo.dll, after which I could clearly see the RID at the end of the SID for the test user account (when viewing the Additional Account Info tab on the user properties in Active Directory Users and Computers).

In short, if you see a message about less than a certain percentage of RIDs in the current pool, don’t worry about it (as long as rIDAllocationPool is different to rIDPreviousAllocationPool)!  The pool will gradually be used until it reaches 0% and tips over into the next allocation.  The problem is the confusing language used (rIDAllocationPool should really be rIDNextAllocationPool, rIDPreviousAllocationPool should really be rIDCurrentAllocationPool and rIDNextRID should be rIDPreviousRID).

TNO

Posted on By Mark Wilson

There is a well known phrase in IT security – trust no one (often abbreviated to TNO).  A couple of weeks ago, a United Kingdom government department admitted to having lost a couple of discs containing, among other things, names, addresses, dates of birth and bank account details for my family.  Thanks.  For nothing.

Then, yesterday, a Senior Marketing Manager at Microsoft was not having a good day.  First of all, she sent a survey invitation to a list of "Microsoft Influencers" in the EMEA region but the bulk mailing tool she was using failed part way through dispatch.  After preparing a second message to the remaining recipients, she hit the wrong button and mailed a bunch of people she didn’t mean to.  So far, no real harm done, and an apologetic e-mail was sent to those affected.  Except that somewhere along the way she attempted to recall the message, the names of the recipients went to everyone who received the recall request, and two bright sparks on the list said (in jest, I think) something to the effect of "wouldn’t it be good if I could sell the e-mail addresses of all these people that Microsoft considers influential" (all 884 of them).  So that’s my e-mail address potentially compromised too.

And a few weeks back I had an e-mail from Fasthosts (through whom many of my domain names are registered) letting me know that they had experienced a security breach and that my account may have been compromised (but they couldn’t be sure)… so I could have been subject to a domain hijack if they hadn’t already locked my account for me.

Then there’s the various online and telephone-based services (including banks and credit card providers) that use ludicrously low security, with a myriad of single factors for authentication (and really, what use are my mother’s maiden name and town of birth for "security" questions as both of those items are publicly available information?).

It seems that avoiding identity theft is fighting a battle that can’t be won.  I have to entrust organisations with my personal details but, based on recent history, those organisations (including my government) cannot be trusted.

Maybe it’s time for me to find a new identity?

TNO.