An update is available to detect and prevent too much consumption of the global RID pool on a domain controller that is running Windows Server 2008 R2

-

Introduction

Active Directory Domain Services (AD DS) assigns unique security identifiers (SIDs) to users, computers, groups, and trusts that are created in Active Directory. SIDs consist of a domain prefix concatenated with a monotonically increasing relative identifier (RID). Each Active Directory domain is assigned a global RID pool that consists of 1 billion RIDs. To enable each Active Directory domain controller to create new security principals, each domain controller is allocated current and standby RID pools from the RID master.

When the global RID pool for the domain and for the local pools on individual domain controllers in a domain is exhausted, additional users, computers, and groups can no longer be created in the domain. To work around this issue, you can create and migrate objects and applications to a new domain.

This article describes a condition in which a logic failure may result in too many RID pool requests. This leads to global RID pool exhaustion.

Symptoms

Under certain rare circumstances, Windows Server 2008 R2 domain controllers unexpectedly consume a large amount of RID resources. This behavior exhausts the global RID pool. When this issue occurs, you experience one or more of the following issues:

  • RIDs in the global RID pool are continually being consumed over time.
  • The number of RIDs that are consumed in the global RID pool is is greater than expected, considering the number of security principals that are intentionally created during the lifetime of the domain.
  • The DCDIAG RID Manager test indicates that a search for the RidSetReferencesattribute fails. Additionally, you receive the following error message:
    Starting test: RidManager
    Warning: attribute rIdSetReferences missing from
    CN=name,OU=Domain Controllers,DC=name,DC=name,DC=name,DC=name
    Could not get Rid set Reference :failed with 8481:
    The search failed to retrieve attributes from the database.
    ......................... name failed test RidManagerThis hotfix enables the ability to detect and prevent this behavior on Windows Server 2008 R2-based domain controllers.

Cause

Under certain rare circumstances, a domain controller may issue recurring requests for RIDs from the global RID pool every 30 seconds.

If repetitive requests for RID pool updates are allowed to continue for a significant period of time, the global RID pool may experience too much RID consumption. In extreme cases, the global RID pool may be exhausted completely.

Resolution



To prevent too much RID consumption in the global RID pool, we recommend that you take the following actions:
  • Install this hotfix on all existing Windows Server 2008 R2 domain controllers.
  • Integrate the update into the Windows Server 2008 R2 installation media. By doing this, you guarantee that future domain controllers will also have this update.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. 

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    VersionProductSR_LevelService branch
    6.1.760
    0.
    16xxx    		Windows Server 2008 R2RTMGDR
    6.1.760
    0.
    21xxx    		Windows Server 2008 R2RTMLDR
    6.1.760
    1.
    21xxx    		Windows Server 2008 R2SP1LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2

Comments

Post a Comment

Popular posts from this blog

altiris software key

-
Image
I think a lot of people, like me, spend a lot of time try finding how to get those download: Latest Symantec workspace Virtualization , SWV 6.1, that is advanced SVS version, is integrated with the Altiris client management suite CMS 7.  (Yes, it was also named "SVS PRO") Notice 1: This package includes the "Wise Virtual Composer", and both x86+x64 versions. Notice 2: This link currently also includes SWS (Streaming) and SWC (Corporate) [please vote my post if you use it ;-] Story : I was thinking only SVS 2.1 (Software Virtualization Solution) was integrated into the "Client Management Suite 7". But this is not the case and SWV 6.1 (Symantec Workspace Virtualization) must not be paid in addition . Free home license : Both SVS 2.1 "light" version & SWV are still free personal use. I suggest you use now the latest SWV 6.4 (That is SWV 6.1 SP7 or following! Yes Symantec do this version naming - vote here also to a...
Read more

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

-
Image
Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe) Table of Contents SPN Purpose SPN Format SetSPN Viewing or Checking SPN Registrations SPN Registration Errors Related to SPN Registration or Configuration Manually Registering SPNs Troubleshooting SPN Issues Resolving SPN Registration Issues SPN Lookup Errors Delegation External Articles SPN Purpose A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. ↑  Return to T...
Read more

Troubleshooting Netlogon Error Codes

-
Image
Quick Reference: Troubleshooting Netlogon Error Codes ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ January 28, 2013   by  Mark Morowczynski [MSFT]   //   24 Comments 0 0 Hi this is Brandon Wilson and today I will be providing you with a quick reference for troubleshooting Netlogon error codes. I say “quick reference” very loosely here, because this is one of those sticky subjects that can easily expand into many more areas and become a very long discussion. So, I’m going to do my best to focus on just the codes and possible solutions for the error codes that are more common to see. Anyone who has dealt with some of these issues knows that some of these outlined areas can lead to huge revenue loss for a business, or at the very least an annoying authentication prompt J I welcome you to leave comments and questions, or suggestions for articles that you as the reader would be interested in seeing us do on AskPFE Platforms ( http://blogs.tech...
Read more