This article describes ways to move RID Master FSMO role and what manual actions may be needed after this in order to ensure your Active Directory environment works properly.
Flexible Single Master Operation Roles (FSMO) are five special roles designated to Domain Controllers in Active Directory environment. RID master role is responsible for managing Relative Identifiers Pools needed to generate correct SID values for each Active Directory object. This role requires special attention, as it requires manual actions to be taken by the Domain Administrator after the role is seized.
↑ Return to Top
There are several ways you can use to transfer or seize FSMO roles in general and RID master role in particular.
Please note, that you cannot seize the FSMO Role using the GUI.
Move-ADDirectoryServerOperationMasterRole
-Identity
"Target-DC"
-OperationMasterRole RIDMaster
-OperationMasterRole 1
-Force
RID Master role data is stored in the DOMAIN\System\RID Manager$ object. The attribute we need is RidAvailablePool. It is a Large Integer value that consists of:
So, we need to increase that Low part to make sure that if the previous RID Master had issued some RID pools that we are not aware of we don't get any conflicts when issuing new ones. The size of the RID pool can be checked under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\RID Block Sizeregistry key. Depending on the number of the Domain Controllers you have you may want to choose the number you increase your RID pool size by. Then, you can simply add that number to the RidAvailablePool value. You can verify that it does what you expect using the same Ldp utility.