[Samba] Does anyone know how to completely remove the Computer SID of a Demoted DC?

[Rowland Penny]

On 05/01/2023 13:20, Zombie Ryushu via samba wrote:
>
> I'm sorry I did not provide enough context.
> 
> I have demoted and re-promoted a particular DC on several occasions to 
> deal with a SID Corruption issue. (this is an issue from months ago, and 
> I largely worked around the problem, but now, its being an issue again. 
> Each time I demote and re-promote the DC it gets the same SID, and in 
> turn, I get the same corruption issue.
> 


I feel that I am going to regret this, but here goes:

That is impossible, there is no way that a totally demoted DC can get 
the same SID.

When you join a DC to a domain it gets a SID in this format:

S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzz-RID

Where the 'xxxxxxxxx-yyyyyyyyyy-zzzzzzzzz' is a unique string of numbers 
that identifies the domain, this string is always the same on all domain 
members, the 'RID' is a unique number (that starts at 1000) and 
identifies the object (in this case a DC). When a object is created (be 
it a user, group, or in this case a DC) it gets the next available RID 
from the DC's ridpool (in the case of a DC it is from another DC's ridpool).

I hope you can see from this, if a DC (which for instance had the RID 
1101) is totally removed from AD and then joined again, it would get the 
next available RID, which could be 1102, but would more likely be a 
larger number e.g. 2106.

If you are joining a DC that you have demoted and it is getting the same 
RID, then you didn't demote it.

Rowland