[Samba] Joining Second DC error -- NT_STATUS_CONNECTION_RESET

Rowland Penny rowlandpenny at googlemail.com
Wed Aug 20 15:26:46 MDT 2014

On 20/08/14 22:05, Marc Muehlfeld wrote:
> Am 20.08.2014 21:59, schrieb Rowland Penny:
>>>> 3. Do we have a way to backup Dc user and group or the updated computer
>>>> password :)
>>> The user/group stuff you can export via ldap (at least the most
>>> attributes). And you can write a script that creates the users via
>>> samba-tool again. But you can't restore the SID on this way.
>> Hi, are you sure about the SID ? I have never used it, but 'samba-tool
>> domain provision --help' shows this:
>> --domain-sid=SID      set domainsid (otherwise random)
> The domain SID you can set during provisioning. But I ment the SID (RID)
> of accounts/groups.
> # samba-tool user add ....
> doesn't have anything to create an user/group with a defined RID.
> And I'm not sure, if this is possible at all, when I'm thinking about
> it. Because the RIDs for new created objects are taken from the RID
> pool. Every DC has a pool of 500 RIDs (when empty, the pool is filled
> with the next free 500 RIDs from the RID Master). So if e. g. an account
> is created with a defined RID on DC1. But this RID is one that is in the
> free-RID-pool of DC2, this would cause trouble. The same trouble would
> happen if you would manually edit the objectSID.
I am never going to try this, but I think that if you were to dump the 
entire AD database, extract from this any users and groups that you have 
created. Now provision the new domain using as much info as you can from 
the old DC, if you then use the user/groups ldifs you extracted, I think 
that you would be able to recreate the users & groups with the old 
SID-RID, you would also have to update 'rIDNextRID' from 'cn=RID Set'. 
this would only ever have a chance of working on a single DC domain.

As I said, I am never ever going to try this, just saying that it might 
be possible ;-)

> Regards,
> Marc

More information about the samba mailing list