Whoh.. What happened.. I was about to install a new software in my home domain that required a service account so I tried to run New-ADServiceAccount.. But I got:

New-ADServiceAccount : The directory service was unable to allocate a relative identifier

So why does my domain leak like a sieve?

Lets run dcdiag on it

C:\Users\virot.admin>dcdiag /test:ridmanager /v
....
Directory Server Diagnosis

Performing initial setup:
Doing primary tests

   Testing server: Default-First-Site-Name\DC01
....
      Starting test: RidManager
         * Available RID Pool for the Domain is 35788100 to 1073741823
         * DC01.ad.virot.se is the RID Master
         * DsBind with RID Master was successful
         Warning: attribute rIdSetReferences missing from
         CN=DC01,OU=Domain Controllers,DC=ad,DC=virot,DC=se
         Could not get Rid set Reference :failed with 8481:
         The search failed to retrieve attributes from the database.
         ......................... DC01 failed test RidManager
....
C:\Users\virot.admin>

Guess what, there are still RIDs available. BUT still a Microsoft blog stated that between 1999 and 2011 the Microsoft Corporate AD used 8 million RIDS, That makes me a bigger user of RIDs than Corporate Microsoft. Go me. Now lets see what ranges the different servers have. Not all values are replicated to all domain controllers so without running against all domain controllers this will be a partial help only.

Get-ADObject -Filter {Objectclass -eq 'rIDSet'} -Properties rIDAllocationPool,rIDNextRID,rIDPreviousAllocationPool|
Select @{label='Server';expression={$_.DistinguishedName}},
	@{label='rIDAllocationPool';expression={[int32]($_.rIDAllocationPool / ([math]::Pow(2,32)))}},
	@{label='rIDNextRID';expression={[int32]($_.rIDNextRID / ([math]::Pow(2,32)))}},
	@{label='rIDPreviousAllocationPool';expression={[int32]($_.rIDPreviousAllocationPool / ([math]::Pow(2,32)))}}

So after running that in my environment I see that my dc01 has a high rID number and thats is the only one that does.. So lets look at the logs at that machine.. Going through the whole logs will take a while lets filter out only events that takes rIDs. So below is a list of events that should require rIDs.

Event ID Message
4783 A basic application group was created.
4790 An LDAP query group was created.
4741 A computer account was created.
4744 A security-disabled local group was created.
4749 A security-disabled global group was created.
4759 A security-disabled universal group was created.
4727 A security-enabled global group was created.
4731 A security-enabled local group was created.
4754 A security-enabled universal group was created.
4720 A user account was created.

To simplify I have created a simple XML query filter that you can use.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4783 or EventID=4790 or EventID=4741 or EventID=4744 or EventID=4749 or EventID=4759 or EventID=4727 or EventID=4731 or EventID=4754 or EventID=4720)]]</Select>
  </Query>
</QueryList>

All I found was an empty security log

But since the security log doesn’t have any entries that show up we can say that currently that server isn’t using up lots of rIDs, But that might also be that I cant create anything at all on that server, so lets reboot that domain controller. Well that didnt help either.

So after continuing abit i found the KB article 2618669. The following symptoms are listed:

  • The dcdiag error message that I have seen earlier in this blog entry.
  • Larger rID usage than expected
  • Continuing increase of rid usage

And after running Get-Hotfix to see if it was installed I noticed that my server at home hadn’t been patched since install.

Now the big patch race..

  • First run 96 patches.
  • Second run 2 patches.
  • Third run 1 patch. (The special one from KB2618669).
  • After applying all the patches I could now create my account on this server.

Sources: