Re: Change the RID Pool on a DC

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 05/19/04 

Date: Wed, 19 May 2004 07:52:54 +0100

"Nicolas Diétrich" <nicolas.dietrich@NOSPAM.rightvision.com> wrote in
message news:e93b01c43cda$d5c0dca0$a601280a@phx.gbl...
>Hello Mike,

>Thanks for your quick answer.

>In fact, we construct Internet Appliances based on Small
>Business Server 2003 (http://www.rightvision.com).

>Our masters are duplicated with Symantec Ghost for the
>deployment, and we propose system backup / restore
>features. This backup / restore saves and restores a lot
>of things, including created AD users, computers, and a
>full system state and data store.

>To be able to restore users data folders and their
>affiliated NTFS rights, we need to be able to manage the
>SID of newly AD created users (to be sure a specified
>user will get a specified SID).

>Sure we know SysPrep, NewSID (sysinternals), and the
>other ways to manage the Domain part of the SID to have a
>newly created SID Domain Part.

>We also are aware of the SIDHistory features, but after a
>lot of reflexion, it cannot fit to our needs.

>We need to be able to read and to modify the RID Scope of
>our server (SBS2K3, so a 5 FSMO roles).

>I understand our problematic is really specific, but it's
>fully thinked, and MS France is aware of our problematic.

>So do you think there's a way to do this, either by
>changing some AD Attributes, by calling a DSA specific
>method, or any other way ?

Nicolas,

You should still not be attempting to change the RID pool.
I cannot see anything in your setup process that cannot be solved through he
use of supported tools and techniques and some scripting.

You can build your system as per usual.
You can then SYSPREP it to allow for the correct generation of a new machine
SID for the Server
The DCPROMO to make it a DC.
You then created all the users and groups using LDIF files.
Restoring data and configuration from backup will be OK and then you just
run the appropriate CALCS file to reset the permissions etc on the restored
files to match the correctly created users and the required permissions. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these 
newsgroups
"Nicolas Diétrich" <nicolas.dietrich@NOSPAM.rightvision.com> wrote in 
message news:e93b01c43cda$d5c0dca0$a601280a@phx.gbl...
Hello Mike,
Thanks for your quick answer.
In fact, we construct Internet Appliances based on Small
Business Server 2003 (http://www.rightvision.com).
Our masters are duplicated with Symantec Ghost for the
deployment, and we propose system backup / restore
features. This backup / restore saves and restores a lot
of things, including created AD users, computers, and a
full system state and data store.
To be able to restore users data folders and their
affiliated NTFS rights, we need to be able to manage the
SID of newly AD created users (to be sure a specified
user will get a specified SID).
Sure we know SysPrep, NewSID (sysinternals), and the
other ways to manage the Domain part of the SID to have a
newly created SID Domain Part.
We also are aware of the SIDHistory features, but after a
lot of reflexion, it cannot fit to our needs.
We need to be able to read and to modify the RID Scope of
our server (SBS2K3, so a 5 FSMO roles).
I understand our problematic is really specific, but it's
fully thinked, and MS France is aware of our problematic.
So do you think there's a way to do this, either by
changing some AD Attributes, by calling a DSA specific
method, or any other way ?
Thanks by advance, regards,
Nicolas Diétrich
RightVision
France
>-----Original Message-----
>"Nicolas Diétrich"
<nicolas.dietrich@NOSPAM.rightvision.com> wrote in
>message news:e79601c43cb6$dcdb71e0$a501280a@phx.gbl...
>>Hello,
>>Is there any way to change the RID Pool of an RID Master
>>Domain Controller (Windows 2003 Server)?
>
>
>Nicolas,
>
>Why do you want to change the RID pool on a DC ?
>Has some condition occurred that leads you to believe
you need to do this?
>Please provide more information about what has happened
and what you are
>trying to do.
>
>-- 
>Regards,
>
>Mike
>--
>Mike Brannigan [Microsoft]
>
>This posting is provided "AS IS" with no warranties, and
confers no
>rights
>
>Please note I cannot respond to e-mailed questions,
please use these
>newsgroups
>
>"Nicolas Diétrich"
<nicolas.dietrich@NOSPAM.rightvision.com> wrote in
>message news:e79601c43cb6$dcdb71e0$a501280a@phx.gbl...
>Hello,
>
>
>Is there any way to change the RID Pool of an RID Master
>Domain Controller (Windows 2003 Server)?
>
>I've already tried to change through ADSIEdit and by
>scripting the RIDSet attributes (rIDNextRID,
>rIDPreviousAllocationPool), but these attributes are hold
>by the System (DSA), and I've got an ACCESS_DENIED or a
>Constraint Violation Error.
>
>
>Dim objRIDSet
>
>Set objRIDSet = GetObject
>("LDAP://myserver.domain.local/CN=RID
>Set,CN=SERVER,OU=Domain Controllers,DC=domain,DC=local")
>
>Msgbox "Currently set rIDNextRID:" & objRIDSet.rIDNextRID
>
>objRIDSet.rIDNextRID = objRIDSet.rIDNextRID + 10
>
>objRIDSet.SetInfo
>
>Set objRIDSet = Nothing
>
>
>I also tried to change its read only state from the
>schema, but changing the SystemOnly attribute from the
>RID-Next-RID and the RID-Set attributes & class schema,
>but I also have an error (This attribute is owned by the
>system).
>
>
>So I took a look at ntdsa.dll, where I found undocumented
>functions like DsUpdateOnPDC(), SampSetDsa(), etc...
>
>
>Is there any proper way to change the RID Pool on a
>domain controller ?
>
>How the DSA changes this attribute by itself ?
>
>
>Thanks by advance,
>
>Cheers,
>
>
>Nicolas Diétrich
>RightVision
>France
>
>
>.
>
Quantcast