This operation causes the DC to discard its current pool of RIDs, used for allocating security principals in the directory. The DC requests a fresh pool of RIDs from the DC that owns the RID Master FSMO, per the procedure documented in [MS-DRSR] section 220.127.116.11.3 (PerformExtendedOpRequestMsg, ulExtendedOp = EXOP_FSMO_REQ_RID_ALLOC). The LDAP operation returns success when the RID pool has been invalidated. Obtaining a fresh pool of RIDs from the DC that owns the RID Master FSMO is an asynchronous operation.
The requester must have the "Change-RID-Master" control access right on the RID Manager object, which is the object referenced by the rIDManagerReference attribute located on the root of the domain NC. The requester must also have read permission on the previously mentioned rIDManagerReference attribute. This operation cannot be performed on an RODC; an RODC returns the error unwillingToPerform / ERROR_INVALID_PARAMETER.
The following shows an LDIF sample that performs this operation. LDIF requires that binary values, like the domain SID, be base-64 encoded.
dn: changetype: modify add: invalidateRidPool invalidateRidPool:: base-64 encoding of the binary-format domain SID -