On Fri, 9 Jun 2023 00:47:07 +0300 Andrey Repin via samba <samba at lists.samba.org> wrote:> Greetings, Rowland Penny via samba! > > > > > On 08/06/2023 13:53, Andrey Repin via samba wrote: > >> Hello Rowland Penny, > >> > Thursday, June 8, 2023, 2:10:39 PM, you wrote: > >> > > >> On 08/06/2023 11:41, Andrey Repin via samba wrote: > >>>> Greetings, All! > >>>>> I've added a new DC to the working AD, transferred FSMO roles > >>>>> (checked, all 7 > >>>> are ok') and (supposedly) correctly demoted the old DC. > >>>>> SchemaMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> >>>> InfrastructureMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S > >>>> RidAllocationMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Si > >>>> PdcEmulationMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sit > >>>> DomainNamingMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sit > >>>> DomainDnsZonesMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S > >>>> ForestDnsZonesMasterRole owner: CN=NTDS > >>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S > >>>>> Now, I'm unable to connect to the domain using RSAT - the error > >>>>> is "RPC server > >>>> unavailable". > >>>>> Tried to forcefully remove old DC from the new one, just to be > >>>>> sure. It did > >>>> some additional cleanup, judging by the wall of debug messages, > >>>> but that did not help in the slightest. > >>>> Googled a bug https://bugzilla.samba.org/show_bug.cgi?id=12534 > >>>> and manually removed the last DNS record. > >>>> Now the DNS check reporting only new DC, but it is still not > >>>> working like it should. > >>>>> So far, I've made these checks: > >>>>> I can impersonate domain users and login with SSH using domain > >>>>> users on > >>>> domain members, even new logins with homedir creation, but? > >>>>> Domain users/groups listing works partially. > >>>>> One member: > >>>> groups: cannot find name for group ID 10008 > >>>> groups: cannot find name for group ID 10009 > >>>> groups: cannot find name for group ID 10010 > >>>> # getent group | grep -P "1\\d{4}" > >>>> domain sudoers:x:10006: > >>>> domain admins:x:10000: > >>>> domain users:x:10001: > >>>> cvs:x:10005: > >>>>> Another member: > >>>>> # getent group | grep -P "1\\d{4}" > >>>> domain computers:x:10003: > >>>> domain sudoers:x:10006: > >>>> domain admins:x:10000: > >>>> domain guests:x:10002: > >>>> cloud admins:x:10010: > >>>> domain users:x:10001: > >>>> remote users:x:10009: > >>>> cloud users:x:10008: > >>>> git admins:x:10007: > >>>> cvs:x:10005: > >>>>> Even wbinfo lists groups/users incorrectly on different > >>>>> machines. anrdaemon at pubserver64:xterm:~ > >>>> $ wbinfo -g | wc -l > >>>> 20 > >>>> anrdaemon at hosting64:xterm:~ > >>>> $ wbinfo -g | wc -l > >>>> 18 > >>>>> anrdaemon at daemon1:screen&0:~ > >>>> $ wbinfo -u | wc -l > >>>> 12 > >>>> anrdaemon at hosting64:xterm:~ > >>>> $ wbinfo -u | wc -l > >>>> 11 > >>>>> Domain authorization works? not. > >>>>> anrdaemon at hosting64:xterm:~ > >>>> $ sudo -iH > >>>> [sudo] password for anrdaemon: > >>>> Sorry, try again. > >>>> sudo: 1 incorrect password attempt > >>>>> anrdaemon at pubserver64:xterm:~ > >>>> $ sudo -iH > >>>> [sudo] password for anrdaemon: > >>>> Domain Controller unreachable, using cached credentials instead. > >>>> Network resources may be unavailable > >>>>> At the same time LDAP works like a charm and top-level tests > >>>>> pass # net ads testjoin > >>>> Join is OK > >>>>> # net ads info > >>>> LDAP server: 192.168.1.19 > >>>> LDAP server name: dc2.ads.darkdragon.lan > >>>> Realm: ADS.DARKDRAGON.LAN > >>>> Bind Path: dc=ADS,dc=DARKDRAGON,dc=LAN > >>>> LDAP port: 389 > >>>> Server time: ??, 07 ??? 2023 18:03:26 MSK > >>>> KDC server: 192.168.1.19 > >>>> Server time offset: 0 > >>>>> But? > >>>>> # wbinfo -t > >>>> checking the trust secret for domain DARKDRAGON via RPC calls > >>>> failed wbcCheckTrustCredentials(DARKDRAGON): error code was > >>>> NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) > >>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR > >>>> Could not check secret > >>>>> And DC log is spammed with messages like > >>>>> : [2023/05/07 18:05:49.693988, 0] > >>>> ../../source4/auth/unix_token.c:95(security_token_to_unix_toke> > >>>> : Unable to convert first SID > >>>> (S-1-5-21-2269650170-3990761244-2407083512-1106) in user token > >>>> to> : [2023/05/07 18:05:49.694080, 0] > >>>> ../../libcli/security/security_token.c:56(security_token_debug) > >>>> : Security token SIDs (8): > >>>> : SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1106 > >>>> : SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 > >>>> : SID[ 2]: S-1-1-0 > >>>> : SID[ 3]: S-1-5-2 > >>>> : SID[ 4]: S-1-5-11 > >>>> : SID[ 5]: S-1-5-64-10 > >>>> : SID[ 6]: S-1-5-32-554 > >>>> : SID[ 7]: S-1-5-32-545 > >>>> : Privileges (0x 800000): > >>>> : Privilege[ 0]: SeChangeNotifyPrivilege > >>>> : Rights (0x 400): > >>>> : Right[ 0]: SeRemoteInteractiveLogonRight > >>>>> DC smb.conf attached, if needed. > >> >> No it wasn't, this list strips attachments. > >> > Good for a list, I suppose, but bad for people using it. > >> >>>> I have a full offline backup of both DC's prior to transfer > >> >>>> and already tried > >>>> to redo the process, but to the same effect. > >>>>> So, what can I do now? > >>>>> ---------- > >>>>> Update since the original message failed to be delivered to the > >>>>> list, > >>>> and a month passed already: > >>>> Now, even DC is unable to confirm its connection to the domain. > >>>>> (DC2)root at dc2:screen:~ > >>>> # net ads testjoin > >>>> kerberos_kinit_password DARKDRAGON at ADS.DARKDRAGON.LAN failed: > >>>> Client not found in Kerberos database > >>>> Join to domain is not valid: The name provided is not a properly > >>>> formed account name. > >>>>> The question remains the same: what can I do now? Short of > >>>>> restarting > >>>> the entire domain. > >>>> What checks can I run to see where the culprit is, and how I can > >>>> cure it? > >>>>> > >>> Can we please see the smb.conf from a DC and from a Unix domain > >>> member. > >> >>> DC: > >> > # Global parameters > >> [global] > >> auto services = homes > >> client ldap sasl wrapping = sign > >> dns forwarder = 192.168.1.12 > >> dos charset = CP866 > >> logging = systemd > >> log level = 1 > >> netbios name = DC2 > >> panic action = /usr/share/samba/panic-action %d > >> printcap name = /dev/null > >> realm = ADS.DARKDRAGON.LAN > >> server role = active directory domain controller > >> template homedir = /home/%U > >> template shell = /bin/bash > >> tls enabled = Yes > >> tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL > >> winbind enum groups = Yes > >> winbind enum users = Yes > >> winbind nss info = rfc2307 > >> winbind offline logon = Yes > >> winbind refresh tickets = Yes > >> winbind use default domain = Yes > >> workgroup = DARKDRAGON > >> idmap config darkdragon : unix_nss_info = yes > >> idmap config darkdragon : unix_primary_group = yes > >> idmap config darkdragon : range = 2048-131071 > >> idmap config darkdragon : schema_mode = rfc2307 > >> idmap config darkdragon : backend = ad > >> idmap config * : range = 1024-2047 > >> idmap config * : schema_mode = rfc2307 > >> idmap config * : backend = tdb > >> idmap_ldb : use rfc2307 = Yes > >> map acl inherit = Yes > >> store dos attributes = Yes > >> vfs objects = dfs_samba4 acl_xattr > >> > [netlogon] > >> comment = Network Logon Service > >> csc policy = disable > >> path = /var/lib/samba/sysvol/ads.darkdragon.lan/scripts > >> read only = No > >> > [sysvol] > >> comment = Domain System Volume > >> csc policy = disable > >> path = /var/lib/samba/sysvol > >> read only = No > >> >>> Member server: > >> > # Global parameters > >> [global] > >> dos charset = CP866 > >> workgroup = DARKDRAGON > >> realm = ADS.DARKDRAGON.LAN > >> netbios name = DAEMON1 > >> interfaces = lo mac0 > >> bind interfaces only = Yes > >> security = ADS > >> dedicated keytab file = /etc/krb5.keytab > >> kerberos method = secrets and keytab > >> log level = 1 > >> server min protocol = NT1 > >> min protocol = NT1 > >> client min protocol = NT1 > >> client ldap sasl wrapping = sign > >> printcap name = /dev/null > >> preferred master = Yes > >> local master = Yes > >> domain master = Yes > >> browse list = Yes > >> wins server = 127.0.0.1 > >> wins support = Yes > >> preload = homes > >> auto services = homes > >> panic action = /usr/share/samba/panic-action %d > >> winbind enum users = Yes > >> winbind enum groups = Yes > >> winbind use default domain = Yes > >> winbind nss info = rfc2307 > >> winbind refresh tickets = Yes > >> winbind offline logon = Yes > >> client ipc min protocol = NT1 > >> idmap config darkdragon : unix_nss_info = yes > >> idmap config darkdragon : unix_primary_group = yes > >> idmap config darkdragon : range = 2048-131071 > >> idmap config darkdragon : schema_mode = rfc2307 > >> idmap config darkdragon : backend = ad > >> idmap config * : range = 1024-2047 > >> idmap config * : backend = tdb > >> map acl inherit = Yes > >> store dos attributes = Yes > >> vfs objects = acl_xattr > >> > [netlogon] > >> comment = Network Logon Service > >> path = /home/.samba/netlogon > >> read only = No > >> csc policy = disable > >> > [homes] > >> comment = Home Directory > >> path = /home/%S > >> valid users = %S > >> read only = No > >> browseable = No > >> csc policy = disable > >> follow symlinks = No > >> > [printers] > >> comment = All Printers > >> path = /var/spool/samba > >> printable = Yes > >> browseable = No > >> csc policy = disable > >> > [print$] > >> comment = Printer Drivers > >> path = /var/lib/samba/printers > >> > [arc] > >> comment = Software archive > >> path = /srv/arc > >> read only = No > >> browseable = No > >> csc policy = disable > >> > > > OK, you have these lines on the DC: > > > winbind nss info = rfc2307 > > winbind use default domain = Yes > > idmap config darkdragon : unix_nss_info = yes > > idmap config darkdragon : unix_primary_group = yes > > idmap config darkdragon : range = 2048-131071 > > idmap config darkdragon : schema_mode = rfc2307 > > idmap config darkdragon : backend = ad > > idmap config * : range = 1024-2047 > > idmap config * : schema_mode = rfc2307 > > idmap config * : backend = tdb > > > Why ? They do nothing on a DC. > > > Why do you have 'auto services = homes' without actually having a > > 'homes' share ? > > > Turning to the Unix domain member, why are you using SMBv1 aka > > 'NT1', the DC isn't > > Because DC1 used it. Consider it a legacy. Why would Win7 (RSAT) do > not connect? THAT is the main question. > > > Why do you have a netlogon share on the Unix domain member ? > An oversight, I presume. (it's the baremetal host, on which I ran some > experiments in the past) > > > Why are you using Wins ? AD does not use Wins, it uses DNS. > > I tried to normalize network discovery. IT's VERY slow ATM. Minutes > to get a list of hosts in a workgroup. > > > Why do you have this line: 'idmap config * : schema_mode = rfc2307' > > Why not? > > > Finally, you have the 'winbind enum' lines set to yes on both > > machines, > > I tried to normalize network discovery. See above. > > > this should only be done for testing purposes, Samba will quite > > correctly without the lines. > > If these settings are irrelevant for their respective placement, you > could have just stated that instead of an extensive questioning. > I appreciate your attention, though. I'll meditate on these settings > again, once the system is up and running. > > > When you created your new DC, did you sync Sysvol and idmap.ldb > > from the existing DC ? > > Shouldn't that be done naturally when DC joined the domain/when roles > were claimed? Sysvol is nearly empty though. I did not go far enough > to create any custom rules for this domain. Yet. > Also, why this is not mentioned on the wiki? > >OK, I give in, why have 4 emails from Andrey Repin, that were apparently sent in May & June of this year, just appeared in my mail client ? Rowland
Greetings, Rowland Penny via samba!> OK, I give in, why have 4 emails from Andrey Repin, that were > apparently sent in May & June of this year, just appeared in my mail > client ?Don't worry, your sanity is not affected. My mail provider had changed submission policy without a sufficient notification, causing my transit mail server to block mail queue since last August. Anyway, here's some news on the subject: Routine server upgrade uncovered an IP address conflict in the local network. Turned out, when I was setting up DC2, I did not add its address to the infrastructure DNS zone. When I was setting up a new infra server for tests a short while later, I checked the infra zone and picked the next free address? which, unsurprisingly, was the same as the DC2 one. Having solved this, I get a stable "Domain join OK" on every domain member, but still unable to authenticate the users using winbind. Domain controller logs (notable parts) are following: log.samba: [2023/11/07 18:56:05.882689, 1] ../../source4/nbt_server/register.c:165(nbtd_register_name_handler) Error registering DARKDRAGON<1b> with 192.168.1.19 on interface 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES [2023/11/07 18:56:20.887545, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:20.890975, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=DomainDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:21.039408, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:21.098762, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on CN=Configuration,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:25.913081, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) dnsupdate_nameupdate_done: Failed DNS update with exit code 110 log.smbd: lots of messages like these right from the start: [2023/11/07 18:56:08.211331, 1] ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh) Failed to fetch record! [2023/11/07 18:56:11.590717, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1124) in user token to a UID. Conversion was returned as type 0, full token: [2023/11/07 18:56:11.590888, 0] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1124 SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight [2023/11/07 18:56:29.811430, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1117) in user token to a UID. Conversion was returned as type 0, full token: [2023/11/07 18:56:29.812183, 0] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1117 SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight [2023/11/07 18:56:30.307255, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1106) in user token to a UID. Conversion was returned as type 0, full token: [2023/11/07 18:56:30.308127, 0] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1106 SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight AD DC configuration: # Global parameters [global] auto services = homes client ldap sasl wrapping = sign dns forwarder = 192.168.1.12 dos charset = CP866 logging = systemd log level = 1 netbios name = DC2 panic action = /usr/share/samba/panic-action %d printcap name = /dev/null realm = ADS.DARKDRAGON.LAN server role = active directory domain controller template homedir = /home/%U template shell = /bin/bash tls enabled = Yes tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = DARKDRAGON idmap config darkdragon : unix_nss_info = yes idmap config darkdragon : unix_primary_group = yes idmap config darkdragon : range = 2048-131071 idmap config darkdragon : schema_mode = rfc2307 idmap config darkdragon : backend = ad idmap config * : range = 1024-2047 idmap config * : schema_mode = rfc2307 idmap config * : backend = tdb idmap_ldb : use rfc2307 = Yes map acl inherit = Yes store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr [netlogon] comment = Network Logon Service csc policy = disable path = /var/lib/samba/sysvol/ads.darkdragon.lan/scripts read only = No [sysvol] comment = Domain System Volume csc policy = disable path = /var/lib/samba/sysvol read only = No Member server: # Global parameters [global] dos charset = CP866 workgroup = DARKDRAGON realm = ADS.DARKDRAGON.LAN netbios name = DAEMON1 interfaces = lo mac0 bind interfaces only = Yes security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab log level = 1 server min protocol = NT1 min protocol = NT1 client min protocol = NT1 client ldap sasl wrapping = sign printcap name = /dev/null preferred master = Yes local master = Yes domain master = Yes browse list = Yes wins server = 127.0.0.1 wins support = Yes preload = homes auto services = homes panic action = /usr/share/samba/panic-action %d winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes client ipc min protocol = NT1 idmap config darkdragon : unix_nss_info = yes idmap config darkdragon : unix_primary_group = yes idmap config darkdragon : range = 2048-131071 idmap config darkdragon : schema_mode = rfc2307 idmap config darkdragon : backend = ad idmap config * : range = 1024-2047 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [netlogon] comment = Network Logon Service path = /home/.samba/netlogon read only = No csc policy = disable [homes] comment = Home Directory path = /home/%S valid users = %S read only = No browseable = No csc policy = disable follow symlinks = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No csc policy = disable [print$] comment = Printer Drivers path = /var/lib/samba/printers [arc] comment = Software archive path = /srv/arc read only = No browseable = No csc policy = disable And in case it is of any relevance, # samba-tool dbcheck --cross-ncs Checking 3532 objects WARNING: no target object found for GUID component for DN value msDS-NC-Replica-Locations in object CN=8bb6015d-6fa6-42c8-8227-342efcb172bb,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan WARNING: target DN is deleted for msDS-NC-Replica-Locations in object CN=8bb6015d-6fa6-42c8-8227-342efcb172bb,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan Target GUID points at deleted DN '<GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan' Not removing WARNING: no target object found for GUID component for DN value msDS-NC-Replica-Locations in object CN=a6fed93a-b3f0-4d96-bd5e-65e0c081b127,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan WARNING: target DN is deleted for msDS-NC-Replica-Locations in object CN=a6fed93a-b3f0-4d96-bd5e-65e0c081b127,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan Target GUID points at deleted DN '<GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan' Not removing Checked 3532 objects (0 errors) -- With best regards, Andrey Repin Monday, November 6, 2023 23:42:24 Sorry for my terrible english...