Event ID - 16646

Event Id16646
SourceSAM
DescriptionThe computed account identifier is not valid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool.
Event InformationAccording to Microsoft :
Cause :
This event is logged when the computed account identifier is not valid because it is out of the range of the current account-identifier pool belonging to this domain controller.
Resolution :
Invalidate the account identifier pool that is owned by the domain controller
The account identifier is not valid because it is out of the range of the current relative ID (RID) pool. To resolve this issue, you must invalidate the account identifier pool that is owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool. Perform the following procedure using the computer that is logging the event to be resolved.
To perform this procedure, you must have membership in Domain Admins or you must have been delegated the appropriate authority.
To invalidate the local domain controller's RID pool:
  1. Click Start, click Run, type C:, and then press ENTER.
  2. Click File, click New, and then click Folder.
  3. Type RIDMgmt as the name for the new folder.
  4. Open the RIDMgmt folder.
  5. Click File, click New, and then click Text Document.
  6. Type iRIDPool as the file name of the new file.
  7. Copy the following code, and then paste it as the contents of the iRIDPool file.
    ' iRIDPool.vbs for invalidating the local domain controller RID Pool
    sub Usage
    wscript.echo "Script to invalidate the domain controller's RID pool."
    wscript.echo "Usage: cscript iRIDPool.vbs"
    wscript.quit -1
    end sub
    ' Get the command line arguments
    Set Args = Wscript.Arguments
    ' Validation and Usage
    if Args.Count > 0 then
    if Args(0) = "/?" or Args(0) = "-?" then
    wscript.echo "Help Requested"
    wscript.echo ""
    Usage
    end if
    end if
    Set oRootDSE = GetObject("LDAP://RootDSE")
    strNamingContext = oRootDSE.Get("defaultNamingContext")
    ' --- Define the attributes to be returned from the query ---
    strAttributes = "objectSid"
    '--- Set up the connection ---
    Set oConnection = CreateObject("ADODB.Connection")
    Set oCmd = CreateObject("ADODB.Command")
    oConnection.Provider = "ADsDSOObject"
    oConnection.Open "ADs Provider"
    Set oCmd.ActiveConnection = oConnection
    '--- Build the query string ---
    strADOQuery = ";(objectClass=DomainDNS);" + strAttributes + ";subtree"
    oCmd.CommandText = strADOQuery
    oCmd.Properties("Page Size") = 1000
    '--- Execute the query for the user in the directory ---
    Set oRecordSet = oCmd.Execute
    ' Assume we find nothing
    SearchHit = 0
    While Not oRecordSet.EOF
    For Each oField In oRecordSet.Fields
    'Output each field and value to the debug window
    ' Remember not to print empty search warning
    SearchHit = 1
    if (oField.Name = "objectSid") then
    DomainSID = oField.Value
    end if
    Next
    wscript.echo "Invalidating RID Pool..."
    oRootDSE.Put "invalidateRidPool", DomainSID
    oRootDSE.SetInfo
    wscript.echo "RID Pool Invalidated"
    oRecordSet.MoveNext
    Wend
    ' Warn of empty search if no hits
    if SearchHit <> 1 then
    wscript.echo "DomainSid not found on the DomainDNS object under " & strNamingContext & "!"
    wscript.quit 0
    end if
  8. Click File, and then click Save As.
  9. In Save as type, select All Files.
  10. In File name, type iRIDPool.vbs, and then click Save.
  11. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  12. At the command prompt, type cd /d c:\RIDMgmt, and then press ENTER.
  13. Type cscript iRIDPool.vbs, and then press ENTER. The script alerts when the RID Pool is invalidated.
  14. Log off the domain controller.
Note : Individual domain controllers maintain local RID pools that are obtained from a global pool on the RID operations master. By default, RID pools are obtained in increments of 500. When a RID pool is invalidated, all remaining unique RIDs in that pool are unusable, which consequently reduces the number of accounts that can be created in the domain. The maximum number of accounts that can exist in an Active Directory domain is approximately 2 billion.
Verify :
When the relative ID (RID) operations master successfully allocates a RID pool (a set of unique identification numbers) to a domain controller, the domain controller logs Event ID 16648 to Event Viewer. You can also use the dcdiag command to verify the RID master has properly assigned a RID pool to a domain controller. To perform this procedure, you must have membership in Domain Admins or you must have been delegated the appropriate authority. To confirm a RID pool assignment to a domain controller
  1. Open a Command Prompt as an administrator on a domain controller in the domain you want to check. To do so, click Start. In Start Search, type Command Prompt, then right click Command Prompt from the Start Menu and select Run as administrator.
  2. Run the command dcdiag /test:ridmanager /v /f:%userprofile%\desktop\DCname_RIDpool.txt /s:DCname and press ENTER; substitute the name of the domain controller you want to test for each DCname in the command. This creates diagnostic files on the Desktop of the current user named for each domain controller tested.
  3. Open the file with Notepad or another text editor. To open the file with Notepad you can type Notepad %userprofile%\desktop\DCname_RIDpool.txt and press ENTER. If you do not have a text editor installed, you can run the command type %userprofile%\Desktop\DCname_RIDpool.txt |more to view one screen of information at a time and use the SPACEBAR to advance one screen at a time through the file.
Reference LinksEvent ID 16646 from Source SAM

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.