Does the company's AD have an expiration date?

Since 2008, up to about 2.15 billion objects can be stored in an Active Directory forest. A domain can accommodate approximately 1 billion security principals, such as users, computers, or security groups. Security principals are assigned a Security Identifier (SID).

The last part of the SID is the relative ID (RID), which is added to the SID from a pool when the object is created. The total size of the pool from which blocks of RIDs can be allocated is 30 bits, approximately 1 billion. If 1 million security principals are created during the AD setup, and a daily consumption of 1,000 RIDs occurs (due to object creation), the RID pool would be exhausted after 2939 years.

However, errors can occur leading to uncontrolled consumption of RIDs:

• Many DCs were promoted or demoted, or metadata from many DCs was cleaned up

• Invalid RID blocks

• Errors in manually changing the RID block size

• Errors from delegated users when creating objects

Starting from Windows Server 2012, the system warns in increments of 10% of the RID pool consumption and logs events upon reaching these thresholds.

If the space of 2^30 RIDs is insufficient, the RID pool can be increased to 2^31 RIDs starting from Windows Server 2012.

Johannes Tröster
Microsoft™ Certified Solutions Expert and qSkills™ instructor
All updates on Active Directory in Windows Server 2012 / R2 are available in course MS108.