[Samba] Joining Second DC error -- NT_STATUS_CONNECTION_RESET

mourik jan heupink - merit heupink at merit.unu.edu
Wed Aug 20 15:50:22 MDT 2014


I know also that ldap-account-manager has functionality to dump all 
users/groups, and restore them (recreate).

(https://www.ldap-account-manager.org)

Of course you still need to be able to connect to your DC over ldap.

This could help you as well.

Goodluck..!



On 08/20/2014 11:26 PM, Rowland Penny wrote:
> On 20/08/14 22:05, Marc Muehlfeld wrote:
>> Am 20.08.2014 21:59, schrieb Rowland Penny:
>>>>> 3. Do we have a way to backup Dc user and group or the updated
>>>>> computer
>>>>> password :)
>>>> The user/group stuff you can export via ldap (at least the most
>>>> attributes). And you can write a script that creates the users via
>>>> samba-tool again. But you can't restore the SID on this way.
>>> Hi, are you sure about the SID ? I have never used it, but 'samba-tool
>>> domain provision --help' shows this:
>>>
>>> --domain-sid=SID      set domainsid (otherwise random)
>> The domain SID you can set during provisioning. But I ment the SID (RID)
>> of accounts/groups.
>>
>> # samba-tool user add ....
>>
>> doesn't have anything to create an user/group with a defined RID.
>>
>> And I'm not sure, if this is possible at all, when I'm thinking about
>> it. Because the RIDs for new created objects are taken from the RID
>> pool. Every DC has a pool of 500 RIDs (when empty, the pool is filled
>> with the next free 500 RIDs from the RID Master). So if e. g. an account
>> is created with a defined RID on DC1. But this RID is one that is in the
>> free-RID-pool of DC2, this would cause trouble. The same trouble would
>> happen if you would manually edit the objectSID.
> I am never going to try this, but I think that if you were to dump the
> entire AD database, extract from this any users and groups that you have
> created. Now provision the new domain using as much info as you can from
> the old DC, if you then use the user/groups ldifs you extracted, I think
> that you would be able to recreate the users & groups with the old
> SID-RID, you would also have to update 'rIDNextRID' from 'cn=RID Set'.
> this would only ever have a chance of working on a single DC domain.
>
> As I said, I am never ever going to try this, just saying that it might
> be possible ;-)
>
> Rowland
>>
>> Regards,
>> Marc
>


More information about the samba mailing list