[Samba] Does anyone know how to completely remove the Computer SID of a Demoted DC?
Rowland Penny
rpenny at samba.org
Thu Jan 5 14:06:18 UTC 2023
On 05/01/2023 13:20, Zombie Ryushu via samba wrote:
>
> I'm sorry I did not provide enough context.
>
> I have demoted and re-promoted a particular DC on several occasions to
> deal with a SID Corruption issue. (this is an issue from months ago, and
> I largely worked around the problem, but now, its being an issue again.
> Each time I demote and re-promote the DC it gets the same SID, and in
> turn, I get the same corruption issue.
>
I feel that I am going to regret this, but here goes:
That is impossible, there is no way that a totally demoted DC can get
the same SID.
When you join a DC to a domain it gets a SID in this format:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzz-RID
Where the 'xxxxxxxxx-yyyyyyyyyy-zzzzzzzzz' is a unique string of numbers
that identifies the domain, this string is always the same on all domain
members, the 'RID' is a unique number (that starts at 1000) and
identifies the object (in this case a DC). When a object is created (be
it a user, group, or in this case a DC) it gets the next available RID
from the DC's ridpool (in the case of a DC it is from another DC's ridpool).
I hope you can see from this, if a DC (which for instance had the RID
1101) is totally removed from AD and then joined again, it would get the
next available RID, which could be 1102, but would more likely be a
larger number e.g. 2106.
If you are joining a DC that you have demoted and it is getting the same
RID, then you didn't demote it.
Rowland
More information about the samba
mailing list