[Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set

Jonathan Hunter jmhunter1 at gmail.com
Tue Jul 23 13:38:02 MDT 2013 

Hi,

In time honoured fashion I am replying to my own post, as I think I have
figured out a workaround to my issue. Hopefully this will help others -
here's what I did.

On 22 July 2013 22:01, Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7
> from source), but I get the following:
>
[...]

>  ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM
> -  <00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set
> DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain
> Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is
> system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain
> Controllers,DC=mydomain,DC=org'!> <>
>

>
After some careful googling, and trying to figure out what the heck a RID
Set was, and why it couldn't be added, I discovered it was a property of a
domain controller, and I think I should really have one against my existing
DC - but I didn't.

First step was ADSI Edit, to create it - but then I discovered that whilst
ADSI Edit can create many things, a RID Set is not one of them.

Second step was LDIFDE, I exported the RID Set from my other DC (in the
other site), edited the LDIF to make a new RID Set for my existing DC - but
couldn't import it ("The server is unwilling to process the request")

Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO
role across between the DCs:

second-existing-dc# samba-tool fsmo seize --role=rid
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
message must have elements/attributes!

The transfer was successful, but some kind of error occurred.. (!)

But, I was able to transfer the role back to the first DC - and this time,
a RID Set finally appeared in AD! I did, however, get exactly the same
error. This happened however many times I transfer the role, and for any
role (I tried all of them :-))

existing-dc# samba-tool fsmo seize --role=rid
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
message must have elements/attributes!

Still.. I have now been able to successfully join my domain - which does
solve my initial problem, so I'm happy there at least.

(Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure
if this is good, or bad! :))

Hopefully this post will be helpful to somebody in the future... Just a
note, however - I hardly ever check this gmail account, so please don't
rely on a speedy response if you do see this post and want to reply to me
personally!
Thanks all,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list