samba - Sep 2016 - Error "Failed extended allocation RID pool operation..."

On Mon, 19 Sep 2016 11:57:38 -0400
Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
> > On Mon, 19 Sep 2016 10:42:34 -0400
> > Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
> 
> > > On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba wrote:
> > > > No it shouldn't be replicated, the big hint is
> > > > 'FLAG_ATTR_NOT_REPLICATED', it should only be on the
DC that
> > > > holds the RID master FSMO role, so I supposed the question
is,
> > > > what does 'samba-tool fsmo show' display for the
> > > > RidAllocationMasterRole ?
> > Log into a DC, run 'samba-tool fsmo show' and look at the line
that
> > starts 'RidAllocationmasterRole'
> > It should show 'CN=NTDS Settings,CN=LARKIN27'
> 
> [root at larkin28 ~]# samba-tool fsmo show
> ..
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> ...
> 
> > > Try running this on the DC: ldbsearch
> > > -H/usr/local/samba/private/sa m.ldb
'(objectClass=rIDSet)' dn
> > > rIDNextRID
> > It should should show the DN's of your DCs followed by the
contents
> > of the 'rIDNextRID' attributes. these should be '0' on
all DC's
> > except the RID master.
> 
> 
> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb 
>  '(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
> # record 2
> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
> # record 3
> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
> rIDNextRID: 53611
> # Referral
> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
> # returned 6 records
> # 3 entries
> # 3 referrals
> 
> 
> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb 
>  '(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
> # record 2
> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
> rIDNextRID: 55584
> # record 3
> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
> # returned 6 records
> # 3 entries
> # 3 referrals
> 
> 
> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb 
>  '(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
> # record 2
> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
> rIDNextRID: 55584
> # record 3
> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
> # returned 6 records
> # 3 entries
> # 3 referrals
> 
> 
OK, on the DC that holds the RID master role:

root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
# record 1
dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
rIDNextRID: 0

# record 2
dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
rIDNextRID: 1152

and on my other DC:

root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
# record 1
dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com

# record 2
dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com

So as far as I understanding it, you should only have the 'rIDNextRID'
attribute on the DC that holds the RID master role. I suggest you run
'samba-tool dbcheck' on your DCs

Rowland

On 9/19/2016 12:21 PM, Rowland Penny via samba wrote:
> On Mon, 19 Sep 2016 11:57:38 -0400
> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>
>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
>>> On Mon, 19 Sep 2016 10:42:34 -0400
>>> Adam Tauno Williams via samba <samba at lists.samba.org>
wrote:
>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba
wrote:
>>>>> No it shouldn't be replicated, the big hint is
>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on
the DC that
>>>>> holds the RID master FSMO role, so I supposed the question
is,
>>>>> what does 'samba-tool fsmo show' display for the
>>>>> RidAllocationMasterRole ?
>>> Log into a DC, run 'samba-tool fsmo show' and look at the
line that
>>> starts 'RidAllocationmasterRole'
>>> It should show 'CN=NTDS Settings,CN=LARKIN27'
>> [root at larkin28 ~]# samba-tool fsmo show
>> ..
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
>> ...
>>
>>>> Try running this on the DC: ldbsearch
>>>> -H/usr/local/samba/private/sa m.ldb
'(objectClass=rIDSet)' dn
>>>> rIDNextRID
>>> It should should show the DN's of your DCs followed by the
contents
>>> of the 'rIDNextRID' attributes. these should be '0'
on all DC's
>>> except the RID master.
>>
>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 53611
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 55584
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
>> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 55584
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
> OK, on the DC that holds the RID master role:
>
> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> rIDNextRID: 0
>
> # record 2
> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> rIDNextRID: 1152
>
> and on my other DC:
>
> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>
> # record 2
> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>
> So as far as I understanding it, you should only have the
'rIDNextRID'
> attribute on the DC that holds the RID master role. I suggest you run
> 'samba-tool dbcheck' on your DCs
>
> Rowland
>
Rowland for reference I have a 'rIDNextRID:' attribute for each DC I 
query. I'm not having this persons issue, but do in fact have a 
attribute set for each DC. The command 'fsmo show' when run appears
correct.


-- 
-James

On 9/19/2016 12:21 PM, Rowland Penny via samba wrote:
> On Mon, 19 Sep 2016 11:57:38 -0400
> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>
>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
>>> On Mon, 19 Sep 2016 10:42:34 -0400
>>> Adam Tauno Williams via samba <samba at lists.samba.org>
wrote:
>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba
wrote:
>>>>> No it shouldn't be replicated, the big hint is
>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on
the DC that
>>>>> holds the RID master FSMO role, so I supposed the question
is,
>>>>> what does 'samba-tool fsmo show' display for the
>>>>> RidAllocationMasterRole ?
>>> Log into a DC, run 'samba-tool fsmo show' and look at the
line that
>>> starts 'RidAllocationmasterRole'
>>> It should show 'CN=NTDS Settings,CN=LARKIN27'
>> [root at larkin28 ~]# samba-tool fsmo show
>> ..
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
>> ...
>>
>>>> Try running this on the DC: ldbsearch
>>>> -H/usr/local/samba/private/sa m.ldb
'(objectClass=rIDSet)' dn
>>>> rIDNextRID
>>> It should should show the DN's of your DCs followed by the
contents
>>> of the 'rIDNextRID' attributes. these should be '0'
on all DC's
>>> except the RID master.
>>
>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 53611
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 55584
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
>> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 55584
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
> OK, on the DC that holds the RID master role:
>
> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> rIDNextRID: 0
>
> # record 2
> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> rIDNextRID: 1152
>
> and on my other DC:
>
> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>
> # record 2
> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>
> So as far as I understanding it, you should only have the
'rIDNextRID'
> attribute on the DC that holds the RID master role. I suggest you run
> 'samba-tool dbcheck' on your DCs
>
> Rowland
>
It appears after reading this link 
https://support.microsoft.com/en-us/kb/305475 that each DC is given a 
pool of RID's to use.  I did not know this. Is Samba using this method 
as well?  I do not know how to query the DB for rid pools to verify.

-- 
-James

Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba:
> On Mon, 19 Sep 2016 11:57:38 -0400
> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>
>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
>>> On Mon, 19 Sep 2016 10:42:34 -0400
>>> Adam Tauno Williams via samba <samba at lists.samba.org>
wrote:
>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba
wrote:
>>>>> No it shouldn't be replicated, the big hint is
>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on
the DC that
>>>>> holds the RID master FSMO role, so I supposed the question
is,
>>>>> what does 'samba-tool fsmo show' display for the
>>>>> RidAllocationMasterRole ?
>>> Log into a DC, run 'samba-tool fsmo show' and look at the
line that
>>> starts 'RidAllocationmasterRole'
>>> It should show 'CN=NTDS Settings,CN=LARKIN27'
>> [root at larkin28 ~]# samba-tool fsmo show
>> ..
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
>> ...
>>
>>>> Try running this on the DC: ldbsearch
>>>> -H/usr/local/samba/private/sa m.ldb
'(objectClass=rIDSet)' dn
>>>> rIDNextRID
>>> It should should show the DN's of your DCs followed by the
contents
>>> of the 'rIDNextRID' attributes. these should be '0'
on all DC's
>>> except the RID master.
>>
>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 53611
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 55584
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
>> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb
>>   '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>> # record 2
>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>> rIDNextRID: 55584
>> # record 3
>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>> # Referral
>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>> # returned 6 records
>> # 3 entries
>> # 3 referrals
>>
>>
> OK, on the DC that holds the RID master role:
>
> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> rIDNextRID: 0
>
> # record 2
> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
> rIDNextRID: 1152
>
> and on my other DC:
>
> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>
> # record 2
> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>
> So as far as I understanding it, you should only have the
'rIDNextRID'
> attribute on the DC that holds the RID master role. I suggest you run
> 'samba-tool dbcheck' on your DCs
>
> Rowland
>
On my 4.4.5 test environment i also get these results. On an production 
domain running server 4.2.13 i get the following results.
1.server with fsmo rid master role: nextRid>0 for the server and 
nextRid=0 for all other server.
2. Other servers: nextRid>0 for the (other) server. No nextRid attribute 
for the other server.
I have no issues on both environments atm.

Am 19.09.2016 um 19:08 schrieb Achim Gottinger via
samba:
>
>
> Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba:
>> On Mon, 19 Sep 2016 11:57:38 -0400
>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>>
>>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
>>>> On Mon, 19 Sep 2016 10:42:34 -0400
>>>> Adam Tauno Williams via samba <samba at lists.samba.org>
wrote:
>>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba
wrote:
>>>>>> No it shouldn't be replicated, the big hint is
>>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be
on the DC that
>>>>>> holds the RID master FSMO role, so I supposed the
question is,
>>>>>> what does 'samba-tool fsmo show' display for
the
>>>>>> RidAllocationMasterRole ?
>>>> Log into a DC, run 'samba-tool fsmo show' and look at
the line that
>>>> starts 'RidAllocationmasterRole'
>>>> It should show 'CN=NTDS Settings,CN=LARKIN27'
>>> [root at larkin28 ~]# samba-tool fsmo show
>>> ..
>>> RidAllocationMasterRole owner: CN=NTDS
>>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
>>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
>>> ...
>>>
>>>>> Try running this on the DC: ldbsearch
>>>>> -H/usr/local/samba/private/sa m.ldb
'(objectClass=rIDSet)' dn
>>>>> rIDNextRID
>>>> It should should show the DN's of your DCs followed by the
contents
>>>> of the 'rIDNextRID' attributes. these should be
'0' on all DC's
>>>> except the RID master.
>>>
>>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>   '(objectClass=rIDSet)' dn rIDNextRID
>>> # record 1
>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>> # record 2
>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>> # record 3
>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>> rIDNextRID: 53611
>>> # Referral
>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>> # returned 6 records
>>> # 3 entries
>>> # 3 referrals
>>>
>>>
>>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>   '(objectClass=rIDSet)' dn rIDNextRID
>>> # record 1
>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>> # record 2
>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>> rIDNextRID: 55584
>>> # record 3
>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>> # returned 6 records
>>> # 3 entries
>>> # 3 referrals
>>>
>>>
>>> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb
>>>   '(objectClass=rIDSet)' dn rIDNextRID
>>> # record 1
>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>> # record 2
>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>> rIDNextRID: 55584
>>> # record 3
>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>> # returned 6 records
>>> # 3 entries
>>> # 3 referrals
>>>
>>>
>> OK, on the DC that holds the RID master role:
>>
>> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb 
>> '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=MEMBER1,OU=Domain 
>> Controllers,DC=samdom,DC=example,DC=com
>> rIDNextRID: 0
>>
>> # record 2
>> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>> rIDNextRID: 1152
>>
>> and on my other DC:
>>
>> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb 
>> '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=MEMBER1,OU=Domain 
>> Controllers,DC=samdom,DC=example,DC=com
>>
>> # record 2
>> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>>
>> So as far as I understanding it, you should only have the
'rIDNextRID'
>> attribute on the DC that holds the RID master role. I suggest you run
>> 'samba-tool dbcheck' on your DCs
>>
>> Rowland
>>
> On my 4.4.5 test environment i also get these results. On an 
> production domain running server 4.2.13 i get the following results.
> 1.server with fsmo rid master role: nextRid>0 for the server and 
> nextRid=0 for all other server.
> 2. Other servers: nextRid>0 for the (other) server. No nextRid 
> attribute for the other server.
> I have no issues on both environments atm.
After creating an user on my second and third dc in the 4.4.5 test 
environment these also have an rIDNextDrid attribute and behave like the 
4.2.13 domain. On both environments the rIDNextDrid is different on all 
dc's.
So it behaves like described in the article James posted.