Had a VERY long week here at work, and I figure it might be helpful to you other SysAdmins to know what caused it and how to fix it.
This is the time of year when account creation is the busiest – when the new crop of freshmen start sending in their deposits and we get the go to create accounts for them. We create about 150 accounts a week for the next couple months, so we have a scripting process to do it for us.
Late last week, that process started failing. When I tried to add a user manually, it gave the error “Cannot complete operation because the number of available relative identifiers has been exceeded.” This was a new one to me, so off I went to do some research to find out how to fix it.
To sum up what relative identifiers (RIDs) are, you need to understand a little about Active Directory domains. Since an AD domain can have multiple controllers, and each can create accounts, there is a miniscule chance that two controllers could create accounts at the same time that have the same unique SID. This is a big no-no, and will cause both of those accounts to be invalid. To solve the issue, Microsoft adds an RID to the end of the SID. These RIDs are doled out by one controller (the RID Master) in the domain and tracked by that controller to make sure that no two accounts are the same.
What happened to us was that the RID Master got stuck and could no longer dole out RIDs. A bit of searching showed me that I needed to transfer the RID Master role from that controller to another in order to fix it. Which would be easy, if I HAD another controller on that domain. You see, the secondary controller in the domain has recently died and hadn’t been replaced yet.
No problem, you savvy admins think, just add a new controller in. BZZZT. Without RIDs to allocate, no new accounts can be added into a domain, and that includes new computers. No new computer account, no new domain controller. It was major hair-pulling time.
The solution? We were lucky. We had a Win2k server machine joined to the domain in one of our outlying departments that was not in use. Since this machine already had an account, and the DCPROMO process simply moves that account into the Domain Controllers OU rather than creating a new one, we were able to promote it and solve the problem.
The moral of this story? Make ABSOLUTELY SURE that you have more than one domain controller in a given domain AT ALL TIMES. If you cannot, at least make sure you have a Windows 2000 Server you can promote. If you don’t, you could easily end up losing your whole domain.
Full Version: [WIN] The RID Master role
Sounds like the "not quite" Flexible Single Master of Operations 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.