The RID Master is one of the five Flexible Single Master Operations (FSMO) roles found in an Active Directory (AD) forest. There is only one Domain Controller (DC) in each domain that holds this role.
By default, this is the first server that was promoted to a DC in the domain. The main purpose of the RID Master is to allocate sequences of relative IDs to each of the other domain controllers in the same domain. At any given time, only one DC in the domain can hold this role.
Whenever a domain controller creates an object such as a user, group, or computer objects (which are all security principals), the DC will assign the object a unique security ID. This ID consists of a domain security ID which is the same for all of the other security IDs created in the domain, and a relative ID that is unique for each security ID created in the domain.
The RID Master allocates chunks (blocks of 500) of these relative IDs to the DCs as needed. When a particular DC is low or out of relative IDs, it will contact the RID Master to obtain another chunk. The RID Master ensures that the RIDs assigned are not overlapped in any way when they are assigned to the DCs in the domain.
Whenever an object is moved between domains in the same forest, the move should be initiated on the domain controller that is holding this role. You can move objects between domains using movetree.exe
or ADTM (Active Directory Migration Tool).
There is no need to delete the object in one domain and recreate it in the other. That action would cause the loss of the security ID mapping to the object. The object will then lose access to resources that were assigned to that security ID.
If the DC for the RID Master was to fail, you probably wouldn’t see the impact right away. You would begin to see the impact on services as DCs begin to replenish their relative IDs. If a DC runs out of relative IDs, it will not allow you to create the security principal (user, group, and computer objects). Transferring the RID Master role can be done while the servers are online or can be seized using the ntdsutil
command.
Using the Active Directory Users and Computers snap-in, connect to the target DC. Then, right click the domain object and click on Operations Master.
In the top box, the current DC holding the role should be displayed. In the lower box, you should see the name of the DC to whom you wish to transfer the role.
Or, using the ntdsutil.exe
command, type roles
and hit Enter. Then type connections
and hit Enter. Next type connect to server servername
and hit Enter. Type quit
and hit Enter
. The system will bind and continue.
Then type transfer rid master
and hit Enter. A confirmation dialog box will be displayed. Click on Yes. The system will provide some feedback in regards to this action.
The process of transferring the RID Master role is complete.