上节说到,到底RID在一个域内可以派多少个RID呢? 230 或者 1,073,741,823 个RID,算一算,也很多啊,有上亿个啊。
“Every domain has a RID Master: a domain controller that hands each DC a pool of 500 RIDs at a time. A domain contains a single RID pool which generates roughly one billion SIDs (because of a 30-bit length, it's 230 or 1,073,741,823 RIDs). Once issued, RIDs are never reused. You can’t reclaim RIDs after you delete security principals either, as that would lead to unintended access to resources that contained previously issued SIDs”
那么,怎么查看用了多少个RID呢?可以使用dcdiag命令
有什么情况会浪费RID呢?
TechNet 官方博客上列出了以下几点
Provisioning systems or admin scripts that accidentally bulk create users, groups, and computers.
Attempting to create enabled users that do not meet password requirements
DCs turned off longer than tombstone lifetime.
DC metadata cleaned.
Forest recovery.
The InvalidateRidPool operation.
Increasing the RID Block Size registry value.
假如运行了脚本,无限循环地创建用户、组或者计算机,会导致RID池的耗尽。所以,假如AD初学者要在生产环境使用创建用户、组或者计算机的脚本,AD管理员是留心哦,尤其是循环,类似i=1, i++ 等。
合理地使用RID池是不会有这些问题出现的,那微软自己用了多少呢?
"The normal operations are out of your control and unlikely to cause problems even in the biggest environments. For example, even though Microsoft’s Redmond AD dates to 1999 and holds the vast majority of our resources, it has only consumed ~8 million RIDs - that's 0.7%. In contrast, some of the abnormal operations can lead to squandered RIDs or even deplete the pool altogether, forcing you to migrate to a new domain or recover your forest. "
本文转自 VirtualTom 51CTO博客,原文链接:http://blog.51cto.com/virtualtom/831226,如需转载请自行联系原作者
