Hello RANG,

RID master

The RID master allocates sequences of relative IDs (RIDs) to each of the
various domain controllers in its domain. At any time, there can be only
one domain controller acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it
assigns the object a unique security ID (SID). The SID consists of a domain
SID, which is the same for all SIDs created in the domain, and a RID, which
is unique for each SID created in the domain.


RID master failure

Temporary loss of the RID master is not visible to network users. It will
not be visible to network administrators either, unless they are creating
objects and the domain in which they are creating the objects runs out of
relative IDs (RIDs).
If the RID master will be unavailable for an unacceptable length of time,
you can seize the role to the operations master. However, seizing this role
is a drastic step that you should take only when the failure of the RID master
is permanent.

Important

. A domain controller whose RID master role has been seized must never be
brought back online.




Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

You will not see an immediate effect and the time you start to see an effect
will depend on the rate at which you create new objects. The RID master
allocates RIDs to the DCs in batches i.e. not one at a time. When the DCs
pool of RIDs is running low it will attempt to find the RID Master to
retrieve another batch. If a RID master cannot be found a DC will continue
using the remaining RIDs it has unitl the pool is empty. If a RID master
still can't be found then you will receive an error message stating that the
RID pool is empty or something along these lines when you try and create a
new object.

I can't remember the exact amount of RIDs a DC will hold but I think it is
in the hundreds somewhere.

Best Regards
Joe Dunn MCSE

the DCs cannot get a new rid pool of 500 rids when the current ones are
gone. when that happens a particular DC cannot create security principal
objects (e.g. users, groups, computers) if other DCs still have rids objects
can be created there
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------