Troubleshoot Windows Setup for AD Bridge

RID Pool Error

Issue: If you have more than 2^19 (524,288) users, groups, or computers created in your domain, you cannot use the Suggest button to suggest UID numbers for users, as the UID can no longer be guaranteed unique.

You may run into this problem with having too many RIDs in the domain if running a version of AD Bridge earlier than 10.0 and you are:

  • a large university that onboards students in AD, and who, so far, has used StudentID or human resource management software-assigned unique ID numbers
  • a large companies who uses Employee IDs
  • a customer who has broken scripts exhausting the RID pool, and who has moved to Employee IDs.

Details: The SID in AD is a 96-bit number of form Domain SIDRelative ID. Each user in the domain has the same domain SID, but an incrementing RID. This SID is unique worldwide, and therefore the correct value to translate into a Unix UID. The problem is that the Unix UID or GID Number can only be 32 bits. At first glance, the answer would seem to be just use the RID directly, but that runs into problems in multi-domain environments, where it is absolutely guaranteed that RIDs between 2 domains will collide. For example, the Domain Users group always has RID 513.

Therefore, the UID/GID needs to be generated from a combination of a hash of the domain SID and the RID. To allow a larger forest that may have 20-30 domains in the trust list, the part of the hash for the Domain SID needs to be large enough to not collide at that range. We determined this by using 12 bits for the domain SID hash, and 19 bits for the RID, giving us a protection against collision up to 30 AD domains in the trust list, and 512,000 RIDs (the uidNumber in AD is a signed int, so we can only use 31 bits).

Summary: The only effect is that you can not use the Suggest button to generate UID numbers or GID numbers that are certain to be unique. Just type your own number in. Use something like Student ID, Employee ID, PeopleSoft unique ID, or some other previously-generated unique number, or keep a single-source last used value and simply increment it with each user add.