"Domain controller has failed to obtain a new identifier pool" error event in Windows 2000 Server SP3 and earlier (316201)

SYMPTOMS

Windows 2000 domain controllers may not be able to create user accounts, computer accounts, or security groups if the local RID pool is used up and cannot obtain a new RID pool from the RID operations master. The domain controller cannot be discovered by network clients that are trying to perform LDAP queries or authentication requests.

Provided enough network connectivity to the RID operations master, a domain controller does not experience this condition unless the rate of RID consumption is quite high. For example, if the rate of security principal creation exceeds the domain controller's ability to acquire a new RID pool from the RID operations master, the domain controller temporarily cannot service security principal creations. Upon successful RID pool acquisition, this condition stops, and security principal creation can resume.

Events 16645 and optionally event 16651 are logged in the Directory services event log for domain controllers that cannot acquire new RID pools. The message text for each event is:

Event 16645

The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

Event 16651

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is %n " %1 "

CAUSE

Users, computers, and groups in Active Directory are collectively known as "security principals." Security principals are assigned unique alpha-numeric numeric strings that are called security identifiers, or SIDs. The SID for a security principal is made up of a domain-wide SID concatenated with a unique, relative identifier (RID). The RID is allocated by a Windows 2000 domain controller in the domain at the time the security principal is created.

Individual domain controllers maintain local RID pools that are obtained from a global pool on the RID operations master. By default, RID pools are obtained in increments of 500. Windows 2000 domain controllers request a new RID when 20 percent of the RID pool remains. Domain controllers in the E-commerce folder or large scale ADMT migration environments can create large numbers of security principals in a short period of time. This may use up their local RID pools more quickly than conventional enterprise deployments.

Problems occur when a domain controller's local RID pool is used up and cannot obtain a new pool from the RID operations master because of problems with itself. The RID operations master, the network, and the domain controller then cannot create additional security principals and stop advertising domain controller services until a new local pool is obtained.

To reduce the chance of this loss of service, administrators can increase the number of RIDs that are allocated by the RID operations master in each pool by adjusting the REG_DWORD RID Block Size value on domain controllers under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\

However, because of a flaw in the RID threshold compare logic, "RID Block Size" values beyond 500 were effectively ignored and reverted back to the default allocation of 500.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

With Windows 2000 Service Pack 4 (SP4), the threshold at which domain controllers start to request a new RID pool has been increased to 50%. For example, a domain controller with the default RID block size of 500 would start to request a new pool when 250 (50 percent of 500) RIDs have been consumed. A pre-SP4 domain controller with the same RID block size of 500 would request a new pool when 100 (20 percent) of the default block of 500 RIDS remain.

The change means that domain controllers are a little more resilient to temporary outages of the RID Master at default settings, and the RID pool size is administrator configurable. Note that the global RID space, and the number of users, computers and groups you can create, is finite for each domain (approximately 2^30 RIDs exists). After the domain wide RID pool is used up, no new security principals can be created in the domain. Because of this, there are risks associated with increasing the "RID Block Size." For example, every time a domain controller is decommissioned through graceful or forceful demotion, or because of a hardware failure, its RIDs are all lost. Similarly, every time a domain controller is restored from backup, its RIDs are all invalidated to help prevent more than one user account from being assigned the same RID.

Outward facing directory configurations are a notable exception to leaving the default RID values. In these configurations, the rate of security principal creation is high, the RID space is very centralized because few domain controllers are needed, and uptime is frequently equivalent to the ability to service account creations. Because of this, availability is generally measured by how long or how many security principals can be created when the RID operations master is unavailable. This time can be greatly increased if the average number of RIDs allocated locally is larger.

For outward facing deployment configurations, or other deployments with special needs, the block size was exposed as a configuration parameter. Windows 2000 SP4 and the Windows Server 2003 family expose a registry configuration that can be used to increase the RID pool size. This makes it possible for each domain controller to create a larger number of security principals without contacting the RID operations master.

There is no benefit to changing the RID block size from the default when Active Directory is deployed as a general purpose NOS directory. In such cases Microsoft recommends the default configuration.

If you do elect to use a different RID block size, the change is only configured on the RID operations master. However, to simplify the management of this setting, configure the value identically on all domain controllers in the target domain. This way if the RID operations master is transferred to another domain controller, the RID block size will be consistent without additional updates and System State Restores will not unintentionally overwrite the intended setting.

This registry setting is used by the RID operations master to determine what size RID pool to return to a requesting domain controller including RIDS for the local RID pool on the RID FSMO:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\ RID Block Size (REG_DWORD)

The system creates this registry key automatically and its initial value is 0. In this state, the internal default of 500 is used. Setting this value to less than 500 has no effect, and the default setting is still used. No maximum block size is enforced. However, a value that is too large has an adverse affect on the longevity of the domain.