SID's and RID's in the domain

SID vs RID

What is the difference. SID stands for Security Identifier. RID stands for Relative Identifier. Each user and group in a computer and domain gets a SID. So how do we construct a SID? We take the DomainSID or ComputerSID and tack on the RID. So it looks like <DomainSID>-<RID>. The DomainSID of the first domain controller is the future DomainSID of the domain. Why do I call it a DomainSID when it is only a standalone computer. Subauthority 21, is used both for Active Directory domains and standalone computers and 21 stands for domain.

So what do we do with this knowledge. I initially started article for due to a domaincontroller that was reverted to a older snapshot . So there are some things to know.

Don’t ever snapshot and revert a Domain Controller.
If you ever would do that. Make sure to invalidate the RID pool immediately.
If you ever would do that to a RID Master, make that the RID master pool does contain a higher RID than any domaincontroller and any issued SID.

Some of these are easy to check others take more time.

Checking the current next RID on all domain controllers

This will check the unreplicated value for next RID on all domain controllers.

Get-ADDomainController -Filter * -PipelineVariable dc|ForEach {Get-ADObject "CN=RID Set,$($dc.ComputerObjectDN)" -Properties rIDNextRid -server $dc.HostName|Select @{l='Name';e={$dc.name}}, rIDNextRid}

Verify that the next pool to issue is the same on all domain controllers

This will check that the replicated value for the RID master is the same on all domain controllers. This should always be true.

Get-ADDomainController -Filter * -PipelineVariable dc|ForEach {Get-ADObject "CN=Rid Manager`$,$((Get-ADDomain).SystemsContainer)" -Server $dc.HostName -Properties rIDAvailablePool} |Select rIDAvailablePool

Where is the RID master currently issuing blocks off RIDs.

This is where the RID master will issue the next pool from. By default Domain Controller’s request RID’s in pools of 500.

(Get-ADObject "CN=Rid Manager`$,$((Get-ADDomain).SystemsContainer)" -Properties rIDAvailablePool).rIDAvailablePool -band [uint32]::MaxValue
36398600

If needed we can increate this value to force the RID master to skip a bunch if RIDs if a domain controller has been reverted.

Total number of SIDs issuable in the domain.

If this number is one bilion, it can be raised if we have newer han Windows 2008 domain controllers. This is the last SID that the domain can issue, after this everything stops.

([uint64]4611686014132554711 -shr 32) -band [uint32]::MaxValue
1073741823

I strongly suggest that you never get into a position where you even have to consider this. I always disable the possibility of rolling back a domain controller. Microsoft have also implemented safe guards to stop these kind of issues. But if rollback I would manually verify that there won’t be a problem with duplicate SIDs.

Sources:

[https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-invaildate-rid-pool](AD Forest Recovery - Invalidating the current RID pool)
[https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-raise-rid-pool](AD Forest Recovery - Raising the value of available RID pools)