samba - Jun 2021 - steady increase of objects reported by dbcheck in my test samdom

On 31/05/2021 19:13, mj via samba wrote:
> Hi,
>
> In my samdom test AD, I am observing a constant increase of objects 
> reported by dbcheck.
>
> As an example: During the last hour, the number of objects has 
> increased from 2646 to 2660, in small steps. This test samdom is just 
> three DCs with no actual clients accessing or using it. One samba DC, 
> one win2008R2 DC and one win2012R2 DC.

Deleted objects ??
>
> samba-tool dbcheck [--cross-ncs] reports no errors, it replicates 
> fine, there are no offline DCs, etc. Nothing seems to be wrong, just 
> the number of objects increases.
>
> I am curious what the added objects are: is there a way to find this out?
>
> I'm looking for something like slapcat of the entire AD to an ldif, so 
> I can compare these LDIFs and identify the changes between them.

Run on the Samba DC: ldbsearch --cross-ncs --show-binary -H $(samba -b | 
grep 'PRIVATE_DIR' | sed 's/?? PRIVATE_DIR: //')/sam.ldb -P >
AD.ldif

This will dump the entire AD into an ldif

You can probably do something similar against the Windows DC's by 
replacing the '$(samba -b | grep 'PRIVATE_DIR' | sed 's/
PRIVATE_DIR:
//')/sam.ldb' with 'ldap://DC_NAME' , where 'DC_NAME' is
the DC's
hostname, and replace '-P' with '-U Administrator'. You will
also need
to change the ldif file name.
>
> Ideas? And also on what could cause the number of objects to grow?

Hard to tell, deleted objects, or collisions, or tombstones ???

Rowland

Hi Rowland,

On 5/31/21 8:36 PM, Rowland penny via samba wrote:
> 
> Run on the Samba DC: ldbsearch --cross-ncs --show-binary -H $(samba -b | 
> grep 'PRIVATE_DIR' | sed 's/?? PRIVATE_DIR: //')/sam.ldb -P
> AD.ldif
> 
> This will dump the entire AD into an ldif
Thank you! Will try it!

MJ

Hi,

I left out --cross-ncs to create the LDIF, as the increase of objects is 
also reported without --cross-ncs. (trying keep it simple)

Here is a diff of 2843 -> 2844 objects:
>>                                   >    dn:
CN=SAMDOM-WIN2012-,CN=Topology,CN=Domain System Volume,CN
>>                                   >    objectClass: top
>>                                   >    objectClass: msDFSR-Member
>>                                   >    cn: SAMDOM-WIN2012-
>>                                   >    instanceType: 4
>>                                   >    whenCreated:
20210601175003.0Z
>>                                   >    uSNCreated: 13556
>>                                   >    showInAdvancedViewOnly: TRUE
>>                                   >    name: SAMDOM-WIN2012-
>>                                   >    objectGUID:
38fc7430-1e69-415e-aa8b-0d31ac581165
>>                                   >    objectCategory:
CN=ms-DFSR-Member,CN=Schema,CN=Configuration,
>>                                   >    serverReference: CN=NTDS
Settings,CN=SAMDOM-WIN2012-,CN=Serve
>>                                   >    whenChanged:
20210601085134.0Z
>>                                   >    msDFSR-ComputerReference:
CN=SAMDOM-WIN2012-,OU=Domain Contro
>>                                   >    uSNChanged: 13558
>>                                   >    distinguishedName:
CN=SAMDOM-WIN2012-,CN=Topology,CN=Domain S
>>                                   >
>>                                   >    # record 363
>>                     highest_usn              : 0x000000000000 |        
highest_usn              : 0x000000000000
>>                     highest_usn              : 0x000000000000 |        
highest_usn              : 0x000000000000
>>             last_success             : Tue Jun  1 10:41:35 20 |        
last_success             : Tue Jun  1 10:51:34 20
>>             last_attempt             : Tue Jun  1 10:41:35 20 |        
last_attempt             : Tue Jun  1 10:51:34 20
>>                 tmp_highest_usn          : 0x000000000000fdfc |        
tmp_highest_usn          : 0x000000000000fe21
>>                 highest_usn              : 0x000000000000fdfc |        
highest_usn              : 0x000000000000fe21
>>             last_success             : Tue Jun  1 10:41:35 20 |        
last_success             : Tue Jun  1 10:51:34 20
>>             last_attempt             : Tue Jun  1 10:41:35 20 |        
last_attempt             : Tue Jun  1 10:51:34 20
>>                 tmp_highest_usn          : 0x000000000000c213 |        
tmp_highest_usn          : 0x000000000000c28a
>>                 highest_usn              : 0x000000000000c213 |        
highest_usn              : 0x000000000000c28a
>>             last_success             : Tue Jun  1 10:41:39 20 |        
last_success             : Tue Jun  1 10:51:35 20
>>             last_attempt             : Tue Jun  1 10:41:39 20 |        
last_attempt             : Tue Jun  1 10:51:35 20
>>                                   <
>> # record 1771                              <
>> dn: CN=SAMDOM-WIN2012-,CN=Topology,CN=Domain System Volume,CN <
>> objectClass: top                          <
>> objectClass: msDFSR-Member                      <
>> cn: SAMDOM-WIN2012-                          <
>> instanceType: 4                              <
>> whenCreated: 20210601174011.0Z                      <
>> uSNCreated: 13548                          <
>> showInAdvancedViewOnly: TRUE                      <
>> name: SAMDOM-WIN2012-                          <
>> objectGUID: 5e76b78a-48a1-42a9-824b-e22c35e8bac9          <
>> objectCategory: CN=ms-DFSR-Member,CN=Schema,CN=Configuration, <
>> serverReference: CN=NTDS Settings,CN=SAMDOM-WIN2012-,CN=Serve <
>> whenChanged: 20210601084135.0Z                      <
>> msDFSR-ComputerReference: CN=SAMDOM-WIN2012-,OU=Domain Contro <
>> uSNChanged: 13550                          <
>> distinguishedName: CN=SAMDOM-WIN2012-,CN=Topology,CN=Domain S <
It seems to be about the same server SAMDOM-WIN2012-, that is getting a 
new objectGUID in the in CN=Topology.

Can anyone explain what we are seeing? And why is it causing dbcheck 
objects to increase? It seems more like an update..? (the objectGUID is 
replaced, and the old objectGUID is gone in the newer dump)

I hope formatting above will survive...

MJ