On 17/05/16 12:11, ash-samba at comtek.co.uk wrote:> >> G'Day, >> >> This is a serious situation. What it means is that the nextRid value >> for that DC points at a user account that already exists, so when we >> go to create it, the create fails. > I've just looked at the LDAP output, and nextRid is 1000 for both dn: > CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etcSame here.> > The most recent successful new user (that I'm aware of) is objectSid: > S-1-5-21-2702589905-558746101-3641499263-2825 > > I can't see any objectSid entries which end in 1000 though. The lowest > one we have is S-1-5-21-2702589905-558746101-3641499263-1101 >> That, and the other issue, suggests you have had some serious DB >> corruption, and this may not be the only issues. Does a full dbcheck >> pass? (Not just the reindex). > dbcheck works on empire. >> Is there another DC that still works, that you can replicate from? >> (but you suggested other issues I think). > > We can successfully "/usr/bin/samba-tool user add" with alaska (a > machine located on another continent, with a quite unreliable link!), > and that gives us an account with > S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and > empire, so there is clearly some amount of working replication. > Confusingly, after doing this nextRid is still 1000 on both machines.This could be because you are looking at the wrong attribute in the wrong place. Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute 'rIDNextRID' it contains. Rowland> > Creating a new local DC (and decommissioning empire) would be a good > solution for us. I can add a new DC (v-ward) by specifying > --server=alaska.chester-dc, and I get no errors in the process. The > samba process on v-ward isn't working, though. I'm still trying to > debug this (currently it isn't even listening to port 389). > >
>> We can successfully "/usr/bin/samba-tool user add" with alaska (a >> machine located on another continent, with a quite unreliable link!), >> and that gives us an account with >> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and >> empire, so there is clearly some amount of working replication. >> Confusingly, after doing this nextRid is still 1000 on both machines. > > This could be because you are looking at the wrong attribute in the > wrong place. > Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain > Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute > 'rIDNextRID' it contains.Interesting. If, on Alaska, I do: ldbedit -H ldap://localhost -U ash > # record 122 > dn: CN=RID Set,CN=ALASKA,OU=Domain Controllers,DC=chester-dc,DC=example,DC=com > objectClass: top > objectClass: rIDSet > cn: RID Set > instanceType: 4 > whenCreated: 20141223180132.0Z > whenChanged: 20141223180132.0Z > uSNCreated: 12146 > uSNChanged: 12146 > showInAdvancedViewOnly: TRUE > name: RID Set > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655 > rIDAllocationPool: 7100-7599 > rIDUsedPool: 0 > objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example, > DC=com > rIDPreviousAllocationPool: 7100-7599 > rIDNextRID: 7126 > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain Controllers,DC=chester-dc,DC > =example,DC=com on empire, the same command shows > # record 122 > dn: CN=RID Set,CN=ALASKA,OU=Domain Controllers,DC=chester-dc,DC=example,DC=com > objectClass: top > objectClass: rIDSet > cn: RID Set > instanceType: 4 > whenCreated: 20141223180132.0Z > whenChanged: 20141223180132.0Z > uSNCreated: 39967 > uSNChanged: 39967 > showInAdvancedViewOnly: TRUE > name: RID Set > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655 > rIDAllocationPool: 7100-7599 > rIDPreviousAllocationPool: 0-0 > rIDUsedPool: 0 > rIDNextRID: 0 > objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example, > DC=com > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain Controllers,DC=chester-dc,DC > =example,DC=com The interesting thing is that alaska has got no other RID Set entries. empire has a RID Set for each of empire, alaska, hawaii, v-ward (though the value for rIDNextRID is 0 for each except for the empire entry itself, which is 2828). Is this normal? The rIDNextRID 2828 does collide with the SID entry for dn: CN=DEEL059,CN=Computers,DC=chester-dc,DC=example,DC=com
On 17/05/16 14:14, ash-samba at comtek.co.uk wrote:> >>> We can successfully "/usr/bin/samba-tool user add" with alaska (a >>> machine located on another continent, with a quite unreliable >>> link!), and that gives us an account with >>> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and >>> empire, so there is clearly some amount of working replication. >>> Confusingly, after doing this nextRid is still 1000 on both machines. >> >> This could be because you are looking at the wrong attribute in the >> wrong place. >> Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain >> Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute >> 'rIDNextRID' it contains. > > Interesting. > > If, on Alaska, I do: ldbedit -H ldap://localhost -U ash > > > # record 122 > > dn: CN=RID Set,CN=ALASKA,OU=Domain > Controllers,DC=chester-dc,DC=example,DC=com > > objectClass: top > > objectClass: rIDSet > > cn: RID Set > > instanceType: 4 > > whenCreated: 20141223180132.0Z > > whenChanged: 20141223180132.0Z > > uSNCreated: 12146 > > uSNChanged: 12146 > > showInAdvancedViewOnly: TRUE > > name: RID Set > > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655 > > rIDAllocationPool: 7100-7599 > > rIDUsedPool: 0 > > objectCategory: > CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example, > > DC=com > > rIDPreviousAllocationPool: 7100-7599 > > rIDNextRID: 7126 > > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain > Controllers,DC=chester-dc,DC > > =example,DC=com > > > on empire, the same command shows > > > # record 122 > > dn: CN=RID Set,CN=ALASKA,OU=Domain > Controllers,DC=chester-dc,DC=example,DC=com > > objectClass: top > > objectClass: rIDSet > > cn: RID Set > > instanceType: 4 > > whenCreated: 20141223180132.0Z > > whenChanged: 20141223180132.0Z > > uSNCreated: 39967 > > uSNChanged: 39967 > > showInAdvancedViewOnly: TRUE > > name: RID Set > > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655 > > rIDAllocationPool: 7100-7599 > > rIDPreviousAllocationPool: 0-0 > > rIDUsedPool: 0 > > rIDNextRID: 0 > > objectCategory: > CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example, > > DC=com > > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain > Controllers,DC=chester-dc,DC > > =example,DC=com > > The interesting thing is that alaska has got no other RID Set entries. > empire has a RID Set for each of empire, alaska, hawaii, v-ward > (though the value for rIDNextRID is 0 for each except for the empire > entry itself, which is 2828). Is this normal? > > The rIDNextRID 2828 does collide with the SID entry for dn: > CN=DEEL059,CN=Computers,DC=chester-dc,DC=example,DC=com > > > > > > > > > > > > > >OK, I just checked on my test domain, DC1 has 'CN=RID Set' for both DCs, but only shows 'rIDNextRID: 0' for DC2. DC2 only has its own 'CN=RID Set' and shows rIDNextRID: 1605. It looks like this part of your AD is correct. A quick check reveals that 'rIDNextRID' is one of Microsofts famous mis-named attributes, it should really have been 'rIDLastRIDused' and is a non replicating attribute. Rowland