It is amazing on how easy it is to be pulled onto a tangent while researching a problem. I was actually looking at ways to better demonstrate Domain Controller Cloning when I got pulled back into an old thought process on RID depletion. I decided to take a look at creating a warning system for myself.
Those of you who have taken my PowerShell or Windows classes know that I prefer automation over manual tasks. Here is one that you can add to your weekly domain health checks.
This code will take a look at your RID pool. Once it starts to be depleted, it will warn you and provide the Microsoft KB article to help you make the proper planning decisions early. You can run it at the command line or run it as a scheduled task. If you do so, add the name of your SMTP server as the value of $SMTPServer. Also, if your SMTP server requires authentication, take a look at the –Credential parameter in the help file of Send-MailMessage. Just to give you an idea about how critical this is, once depleted you will lose the able to:
- Create new users
- Create new Security Groups
- Add computers to your domain
- Promote new Domain Controllers
You could also lose your ability to migrate to a new domain if you allow this pool to deplete before domain migration is completed.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
| Function Test-RIDPool { [cmdletbinding()] Param ( [String] $DomainDN, [Switch] $Email ) # Function provided by NedPyle [MSFT] # https://social.technet.microsoft.com/profile/NedPyle%20[MSFT] # http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx function Get-RIDsremainingAdPsh
{ param ($domainDN) $property = get-adobject "cn=rid manager$,cn=system,$domainDN" -property ridavailablepool -server ((Get-ADDomain $domaindn).RidMaster) $rid = $property.ridavailablepool [int32]$totalSIDS = $($rid) / ([math]::Pow(2,32)) [int64]$temp64val = $totalSIDS * ([math]::Pow(2,32)) [int32]$currentRIDPoolCount = $($rid) - $temp64val $ridsremaining = $totalSIDS - $currentRIDPoolCount
# Below this comment, Ned's code has been modified. $Obj = New-Object -TypeName PSObject -Property @{ "RIDIssued" = $currentRIDPoolCount "RIDRemaining" = $ridsremaining } Write-Output $Obj }
$RIDs = Get-RIDsremainingAdPsh -domainDN $DomainDN
# Check to see if the pool is past any thresholds. $Total = 1073741824 $Message = "RID Pool has more than 50% left. $($RIDs.RIDRemaining) remaining" $Message2 = "Your domain RID Pool is depleted. Read this article for more " ` + "information: https://technet.microsoft.com/en-us/library/jj574229.aspx " ` + "$($RIDs.RIDRemaining) remaining" $Priority = "Normal" If ($RIDs.RIDRemaining -lt ($Total*.5)) {$Subject = "RID Poll remaining is less than 50%"} ElseIf ($RIDs.RIDRemaining -lt ($Total*.25)) {$Subject = "RID Poll remaining is less than 25%"} ElseIf ($RIDs.RIDRemaining -lt ($Total*.20)) {$Subject = "RID Poll remaining is less than 20%"} ElseIf ($RIDs.RIDRemaining -lt ($Total*.15)) {$Subject = "RID Poll remaining is less than 15%"} ElseIf ($RIDs.RIDRemaining -lt ($Total*.10)) {$Subject = "RID Poll remaining is less than 10%"} ElseIf ($RIDs.RIDRemaining -lt ($Total*.05)) { $Subject = "RID Poll remaining is less than 5%" $Message = $Message2 $Priority = "High" } ElseIf ($RIDs.RIDRemaining -lt ($Total*.04)) { $Subject = "RID Poll remaining is less than 4%" $Message = $Message2 $Priority = "High" } ElseIf ($RIDs.RIDRemaining -lt ($Total*.03)) { $Subject = "RID Poll remaining is less than 3%" $Message = $Message2 $Priority = "High" } ElseIf ($RIDs.RIDRemaining -lt ($Total*.02)) {$Subject = "RID Poll remaining is less than 2%" $Message = $Message2 $Priority = "High" } ElseIf ($RIDs.RIDRemaining -lt ($Total*.01)) {$Subject = "RID Poll remaining is less than 1%" $Message = $Message2 $Priority = "High" } Else {$Subject = "RID Pool is above 50%"}
# Send the Report. If ($email) { $TOAddress = "YourEmail@Company.com" $FromAddress = "RIDPoolReport@Company.com" $SMTPServer = $Null Send-MailMessage -To $ToAddress ` -From $FromAddress ` -Subject $Subject ` -Body $Message ` -Priority $Priority ` -SmtpServer $SMTPServer } Else { $Obj = New-Object -TypeName psobject -Property @{ RIDPoolRemaining = $Rids.RIDRemaining Message = $Message Priority = $Priority } Write-Output $Obj } <# .SYNOPSIS Provides a report on the remaining RID Pool.
.DESCRIPTION Displays the remaining number of RIDs in the domain. This can be performed on the fly at the prompt or sent in an email. The email is functional only if your environment supports the Send-MailMessage cmdlet.
.PARAMETER $DomainDN The distinguished name of your domain. For example, a domain named MCTExpert.com would be "DC=MCTExpert,DC=COM".
.PARAMETER $Email Send the report in an email. This functionality will only work is your environment supports the Send-MailMessage cmdlet. If you need to provide credentials for Send-MailMeassage to work, look at the help file for Send-MailMessage. Also, in the code, provide the name of your SMTPserver as the value for variable $SMTPServer.
.EXAMPLE Test-RIDPool -DomainDN "DC=Adatum,DC=COM"
Displays your RID pool information in the console.
.EXAMPLE Test-RIDPool -DomainDN "DC=Adatum,DC=COM" -Email
Emails your RID pool information. #> } |
Comments