上节说到，到底RID在一个域内可以派多少个RID呢？ 230 或者 1,073,741,823 个RID，算一算，也很多啊，有上亿个啊。
“Every domain has a RID Master: a domain controller that hands each DC a pool of 500 RIDs at a time. A domain contains a single RID pool which generates roughly one billion SIDs (because of a 30-bit length, it's 230 or 1,073,741,823 RIDs). Once issued, RIDs are never reused. You can’t reclaim RIDs after you delete security principals either, as that would lead to unintended access to resources that contained previously issued SIDs”
Provisioning systems or admin scripts that accidentally bulk create users, groups, and computers.
Attempting to create enabled users that do not meet password requirements
DCs turned off longer than tombstone lifetime.
DC metadata cleaned.
The InvalidateRidPool operation.
Increasing the RID Block Size registry value.
假如运行了脚本，无限循环地创建用户、组或者计算机，会导致RID池的耗尽。所以，假如AD初学者要在生产环境使用创建用户、组或者计算机的脚本，AD管理员是留心哦，尤其是循环，类似i=1, i++ 等。
"The normal operations are out of your control and unlikely to cause problems even in the biggest environments. For example, even though Microsoft’s Redmond AD dates to 1999 and holds the vast majority of our resources, it has only consumed ~8 million RIDs - that's 0.7%. In contrast, some of the abnormal operations can lead to squandered RIDs or even deplete the pool altogether, forcing you to migrate to a new domain or recover your forest. "