Announcement

Collapse
No announcement yet.

missing RidSetReferences attribute

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • missing RidSetReferences attribute

    Greetings!

    I'd like to share the experience we've had solving one Active Directory issue.

    We've been facing a problem with one of our domains which was left with a one single domain controller. The problem was that although the DC was the all-FSMO role holder, it could not register new objects in directory because of RID master failure. DCDIAG FSMO test reported "Warning: attribute rIdSetReferences missing".

    As a matter of fact, the rIDSetReferences attribute in the object CN=<DC>,OU=Domain Controllers,CN=<DOMAIN>,DC=<DOMAIN>
    that should have held a reference to an existing object CN=RID Set,CN=<DC>,OU=Domain Controllers,CN=<DOMAIN>,DC=<DOMAIN> was empty.

    The attempt to re-seize RID master role for the same DC failed with the message that the server is already the role holder. The attempt to
    manually modify rIDSetReferences attribute failed due to denial of critical system object modification.

    Digging IT forums didn't bring the solution, so it was decided to test a desperate idea: to remove any information about RID master role from active directory step by step until it will no longer recognize the DC as a RID master role holder.

    Surprisingly, after the first attempt to rename the object
    CN=RID Set,CN=<DC>,OU=Domain Controllers,CN=<DOMAIN>,DC=<DOMAIN>
    to
    CN=RID Set_,CN=<DC>,OU=Domain Controllers,CN=<DOMAIN>,DC=<DOMAIN>
    launched a creation of a new object
    CN=RID Set,CN=<DC>,OU=Domain Controllers,CN=<DOMAIN>,DC=<DOMAIN> and delegated it in rIDSetReferences attribute.

    I suppose there could be a more civilized solution for very same situation, but in case there is none - this could be considered as an option. Though it can possibly fail on other systems.

    Good luck!

    Mihail Akulenkov
    Last edited by Sederik; 15th January 2009, 09:30.

  • #2
    Re: missing RidSetReferences attribute

    I have to check this, but I'm not sure this is the best way to recover RID Master. When you seize a RID Master, there are some tests performed to prevent allocation of RID pool that contains already issued RIDs. In addition, RID Master seizure invalidates already issued RID pools if those overlap with a pool issued to another DC.

    The best approach in your case would be to DCPROMO a new DC and move the RID Master to it.

    As this is the only DC left in the domain, the chances that you have duplicate SIDs are small, but worth checking. To be on the safe side, follow this KB: http://support.microsoft.com/kb/816099
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: missing RidSetReferences attribute

      Originally posted by guyt View Post
      The best approach in your case would be to DCPROMO a new DC and move the RID Master to it.
      I tried, but as there was no RID master to issue an SID, the attempt failed.

      Thanks for the link, I should have thought about it.

      Comment


      • #4
        Re: missing RidSetReferences attribute

        You could probably DCPROMO an existing member server... Ugly, but could work. In any case, if it's the only DC left, after checking for duplicate SIDs you should be ok.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment

        Working...
        X