samba - Aug 2023 - Get id mapping for builtin users and groups on AD DC

Hi folks,

I have got two DCs and I want to check that the builtin ids are equal on 
both DCs. I have searched extensively, but I have not found what tool to 
use to get this information.

I do not use winbindd on the DCs.

I would be very grateful, if somebody could give me information about this.

Best regards,

Peter

On Sat, 19 Aug 2023 18:22:32 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> I have got two DCs and I want to check that the builtin ids are equal
> on both DCs. I have searched extensively, but I have not found what
> tool to use to get this information.
I take it by 'builtin ids' you mean the users and groups stored in
idmap.ldb, if not can you explain further.
> 
> I do not use winbindd on the DCs.
I hope you mean that you are not setting 'winbind'
in /etc/nsswitch.conf and getent doesn't show your AD users.
> 
> I would be very grateful, if somebody could give me information about
> this.
> 
> Best regards,
> 
> Peter
> 
> 
If you are referring to idmap.ldb, then this is an ID allocating
system and works on a 'first come basis'. This means that when a user
or group contacts idmap.ldb it gets the next available ID on that DC,
as users or groups are unlikely to contact in exactly the same
order on other DCs, they will get different IDs. This means that you
need to sync idmap.ldb between DCs, usually from the DC that holds the
PDC_Emulator FSMO role to all other DCs.

Rowland