none
[MS-DRSR] Are there any exception for 5.16.4 ATTRTYP-to-OID Conversion when schema has been extended ? RRS feed

  • Question

  • Hello,

    When tracking the presence of LAPS, I found a strange behavior which is not compatible with the ATTRTYP to OID conversion.

    As a reminder, LAPS extend the current schema. I'm looking in this exemple at 2 production domains running for years.

    As a reminder, the procedure to convert an OID like 1.2.3.4.5 to 0x10005 is:

    split 1.2.3.4.5 into 1.2.3.4 and 5

    encode 1.2.3.4 into a table and return the index, in this example 1.

    Concats "5" (from the previous part) and the table index using the pattern XXXXYYYY which lead to 0x10005

    You can collect metadata using repadmin or the LDAP attribute replpropertymetadata.

    Here is 2 example mixing repadmin and LDAP metadata displayed using LDP.exe (Browse -> Replication -> View Metadata).

    Example 1:

    33 entries.
     AttID	   Ver	 Loc.USN	                  Originating DSA			 Org.USN	     Org.Time/Date
     =====	   ===	 =======	                  ===============		 =======	     =============
         0	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
         3	     1	32354528	26cbb142-3c36-449d-9054-97d3fe617891	32354528	2018-07-04 11:26:24
        24	     1	32359493	e21b3c4d-f996-4127-863e-24a9a7d9b93e	247256424	2018-07-04 12:12:21
     20001	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     20002	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     20119	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     90001	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     90008	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     90010	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844718	2018-07-04 11:26:21
     90019	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844718	2018-07-04 11:26:21
     90037	     8	46185928	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36120368	2019-03-11 10:00:43
     90038	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     90040	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844718	2018-07-04 11:26:21
     9005a	     8	46185928	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36120368	2019-03-11 10:00:43
     9005e	     8	46185928	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36120368	2019-03-11 10:00:43
     90060	     8	46185928	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36120368	2019-03-11 10:00:43
     90062	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844718	2018-07-04 11:26:21
     9007d	     8	46185928	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36120369	2019-03-11 10:00:43
     90092	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     9009f	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844718	2018-07-04 11:26:21
     900a0	     8	46185928	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36120368	2019-03-11 10:00:43
     900dd	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     9012e	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     9016b	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844723	2018-07-04 11:26:22
     9016c	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844723	2018-07-04 11:26:22
     9026b	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     90303	     5	32650163	26cbb142-3c36-449d-9054-97d3fe617891	32650163	2018-07-09 10:42:52
     9030e	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844717	2018-07-04 11:26:21
     90364	     1	32354528	d4d8d278-d687-4f0e-b353-6985946925a1	33844718	2018-07-04 11:26:21
     906a0	    14	46183978	183fc462-824a-4c87-9ee2-92bfd6ee0a23	36118281	2019-03-11 09:45:47
     907ab	     1	32354601	d4d8d278-d687-4f0e-b353-6985946925a1	33844811	2018-07-04 11:27:09
    93f7a2fc	     8	45349496	26cbb142-3c36-449d-9054-97d3fe617891	45349496	2019-02-20 09:53:25
    98d814f7	     8	45349496	26cbb142-3c36-449d-9054-97d3fe617891	45349496	2019-02-20 09:53:25

    same with repadmin

    33 entries.
    Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute
    =======                          =============== ========= =============        === =========
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 objectClass
    174487593                      France-GDC\XSW09366 174487593 2018-07-04 11:29:35    1 cn
    174528885     e21b3c4d-f996-4127-863e-24a9a7d9b93e 247256424 2018-07-04 12:12:21    1 userCertificate
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 instanceType
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 whenCreated
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 nTSecurityDescriptor
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 name
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 userAccountControl
    174487593                           T11\H1W1SDC0GQ  33844718 2018-07-04 11:26:21    1 codePage
    174487593                           T11\H1W1SDC0GQ  33844718 2018-07-04 11:26:21    1 countryCode
    307968102                           T11\H1W1SDC0IK  36120368 2019-03-11 10:00:43    8 dBCSPwd
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 localPolicyFlags
    174487593                           T11\H1W1SDC0GQ  33844718 2018-07-04 11:26:21    1 logonHours
    307968102                           T11\H1W1SDC0IK  36120368 2019-03-11 10:00:43    8 unicodePwd
    307968102                           T11\H1W1SDC0IK  36120368 2019-03-11 10:00:43    8 ntPwdHistory
    307968102                           T11\H1W1SDC0IK  36120368 2019-03-11 10:00:43    8 pwdLastSet
    174487593                           T11\H1W1SDC0GQ  33844718 2018-07-04 11:26:21    1 primaryGroupID
    307968102                           T11\H1W1SDC0IK  36120369 2019-03-11 10:00:43    8 supplementalCredentials
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 objectSid
    174487593                           T11\H1W1SDC0GQ  33844718 2018-07-04 11:26:21    1 accountExpires
    307968102                           T11\H1W1SDC0IK  36120368 2019-03-11 10:00:43    8 lmPwdHistory
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 sAMAccountName
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 sAMAccountType
    174487593                           T11\H1W1SDC0GQ  33844723 2018-07-04 11:26:22    1 operatingSystem
    174487593                           T11\H1W1SDC0GQ  33844723 2018-07-04 11:26:22    1 operatingSystemVersion
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 dNSHostName
    177862536                           T11\H1W1SDC0HN  32650163 2018-07-09 10:42:52    5 servicePrincipalName
    174487593                           T11\H1W1SDC0GQ  33844717 2018-07-04 11:26:21    1 objectCategory
    174487593                           T11\H1W1SDC0GQ  33844718 2018-07-04 11:26:21    1 isCriticalSystemObject
    307964731                           T11\H1W1SDC0IK  36118281 2019-03-11 09:45:47   20 lastLogonTimestamp
    174487593                           T11\H1W1SDC0GQ  33844811 2018-07-04 11:27:09    1 msDS-SupportedEncryptionTypes
    304394789                           T11\H1W1SDC0HN  45349496 2019-02-20 09:53:25    8 ms-MCS-AdmPwd
    304394789                           T11\H1W1SDC0HN  45349496 2019-02-20 09:53:25    8 ms-MCS-AdmPwdExpirationTime

    Another exemple

    ldp:

    33 entries.
     AttID	   Ver	 Loc.USN	                  Originating DSA			 Org.USN	     Org.Time/Date
     =====	   ===	 =======	                  ===============		 =======	     =============
         0	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
         3	     1	  563950	4c5901da-7b9f-4f09-b81e-e9ea497e10cb	  563950	2018-10-12 14:43:20
        24	     2	17475239	8bad950d-c805-4028-a0f1-427efd4f5c4e	138861225	2018-12-10 09:00:59
     20001	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     20002	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     20119	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     90001	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     90008	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     90010	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960563	2018-01-19 08:26:12
     90019	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960563	2018-01-19 08:26:12
     90037	     d	33248455	8bad950d-c805-4028-a0f1-427efd4f5c4e	157502863	2019-02-25 09:15:04
     90038	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     90040	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960563	2018-01-19 08:26:12
     9005a	     d	33248455	8bad950d-c805-4028-a0f1-427efd4f5c4e	157502863	2019-02-25 09:15:04
     9005e	     d	33248455	8bad950d-c805-4028-a0f1-427efd4f5c4e	157502863	2019-02-25 09:15:04
     90060	     d	33248455	8bad950d-c805-4028-a0f1-427efd4f5c4e	157502863	2019-02-25 09:15:04
     90062	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960563	2018-01-19 08:26:12
     9007d	     d	33248455	8bad950d-c805-4028-a0f1-427efd4f5c4e	157502864	2019-02-25 09:15:04
     90092	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     9009f	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960563	2018-01-19 08:26:12
     900a0	     d	33248455	8bad950d-c805-4028-a0f1-427efd4f5c4e	157502863	2019-02-25 09:15:04
     900dd	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     9012e	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     9016b	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960578	2018-01-19 08:26:14
     9016c	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960578	2018-01-19 08:26:14
     9026b	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     90303	     5	  563950	627f897e-1e40-4bf8-9473-8bc879db6673	51032292	2018-01-19 09:35:44
     9030e	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960562	2018-01-19 08:26:12
     90364	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960563	2018-01-19 08:26:12
     906a0	    25	36789557	627f897e-1e40-4bf8-9473-8bc879db6673	167402733	2019-03-11 09:31:56
     907ab	     1	  563950	8bad950d-c805-4028-a0f1-427efd4f5c4e	47960739	2018-01-19 08:27:00
    85a0addf	     5	31778871	627f897e-1e40-4bf8-9473-8bc879db6673	161858854	2019-02-18 09:06:21
    961773ec	     5	31778871	627f897e-1e40-4bf8-9473-8bc879db6673	161858854	2019-02-18 09:06:21

    repadmin

    33 entries.
    Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute
    =======                          =============== ========= =============        === =========
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 objectClass
     563950                         00FRDCZ\XS159398    563950 2018-10-12 14:43:20    1 cn
    1747523970FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 138861225 2018-12-10 09:00:59    2 userCertificate
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 instanceType
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 whenCreated
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 nTSecurityDescriptor
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 name
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 userAccountControl
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960563 2018-01-19 08:26:12    1 codePage
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960563 2018-01-19 08:26:12    1 countryCode
    3324845570FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 157502863 2019-02-25 09:15:04   13 dBCSPwd
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 localPolicyFlags
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960563 2018-01-19 08:26:12    1 logonHours
    3324845570FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 157502863 2019-02-25 09:15:04   13 unicodePwd
    3324845570FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 157502863 2019-02-25 09:15:04   13 ntPwdHistory
    3324845570FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 157502863 2019-02-25 09:15:04   13 pwdLastSet
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960563 2018-01-19 08:26:12    1 primaryGroupID
    3324845570FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 157502864 2019-02-25 09:15:04   13 supplementalCredentials
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 objectSid
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960563 2018-01-19 08:26:12    1 accountExpires
    3324845570FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA) 157502863 2019-02-25 09:15:04   13 lmPwdHistory
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 sAMAccountName
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 sAMAccountType
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960578 2018-01-19 08:26:14    1 operatingSystem
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960578 2018-01-19 08:26:14    1 operatingSystemVersion
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 dNSHostName
     563950                        70FRGDC\GDVSVR072  51032292 2018-01-19 09:35:44    5 servicePrincipalName
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960562 2018-01-19 08:26:12    1 objectCategory
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960563 2018-01-19 08:26:12    1 isCriticalSystemObject
    36789557                        70FRGDC\GDVSVR072 167402733 2019-03-11 09:31:56   37 lastLogonTimestamp
     56395070FRGDC\GDVSVR172\0ADEL:635b3b9f-ee18-4551-b8a9-dda30d2d3d63 (deleted DSA)  47960739 2018-01-19 08:27:00    1 msDS-SupportedEncryptionTypes
    31778871                        70FRGDC\GDVSVR072 161858854 2019-02-18 09:06:21    5 ms-Mcs-AdmPwd
    31778871                        70FRGDC\GDVSVR072 161858854 2019-02-18 09:06:21    5 ms-Mcs-AdmPwdExpirationTime

    You can see that ms-MCS-AdmPwd is:

    - 93f7a2fc

    - 85a0addf

    And ms-Mcs-AdmPwdExpirationTime is:

    - 98d814f7

    - 961773ec

    But the OID is value is: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1

    Screenshot:

    That means that according to the documentation, the ATTID shown (and displayed by ldp.exe) should ends with 0xXXXX0001 and 0xXXXX0002 for the other attribute.

    And this is not the case.

    So question: are there any exception which could explains why the ATTID shown here doesn't match the expected results ?

    Note: Here is some reference I made for translation attribute ID into their name https://github.com/vletoux/ADSecrets/blob/master/AttdIDToAttribute

    regards,

    Vincent LE TOUX

    Wednesday, March 13, 2019 10:58 AM

Answers

  • Vincent,

    Upon further investigation, it appears the number 0x8a36df9b you are observing is the msDS-IntId, which is not the same as the attributeID. The attributeID encodes an OID into a numeric value. Although the internal msDS-IntId is also a numeric value, it is NOT explicitly an encoded OID. 

    The attributeID (i.e. the encoded OID) and the msDS-IntId values are essentially the same for an attribute in the base schema. They are different for non-base schema attributes, where the msDS-IntId is essentially a randomly assigned number in the range as described.

    The AttrTyp is used in the replication metadata, and its value is explained by [MS-DRSR] AttrtypFromSchemaObj. 

     

    [MS-ADTS] 3.1.1.2.6 ATTRTYP

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/98b55783-7029-4a04-8f8b-9df9344089c3

    Any OID-valued quantity stored on an object is stored as an ATTRTYP ([MS-DRSR] section 5.14), a 32-bit unsigned integer. The ATTRTYP space is 32 bits wide and is divided into the following ranges.

    Range

    Description

    [0x00000000..0x7FFFFFFF]

    ATTRTYPs that map to OIDs via the prefix table.

    [0x80000000..0xBFFFFFFF]

    ATTRTYPs used as values of msDS-IntId attribute.

    [0xC0000000..0xFFFEFFFF]

    Reserved for future use.

    [0xFFFF0000.. 0xFFFFFFFF]

    Reserved for internal use (never appear on the wire).

    The mapping from ATTRTYPs A to OID O works as follows:

    • If A in [0x00000000..0x7FFFFFFF], A maps to O via a prefix table as specified in [MS-DRSR] section 5.16.4 (the OidFromAttid procedure).
    • If A in [0x80000000..0xBFFFFFFF], let X be the object such that X!msDS-IntId equals A. If X is an attributeSchema object, O is X!attributeID; otherwise X is an classSchema object, and O is X!governsID.

    Given an OID O, the schema object X representing the class or attribute identified by O is the object X such that either X!attributeID equals O or X!governsID equals O.

     

    [MS-ADTS] 3.1.1.2.3 Attributes

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/cf133d47-b358-4add-81d3-15ea1cff9cd9

    attributeID

    "Unique" OID that identifies this attribute. System-only.

    msDS-IntId

    Not specified on Add (if specified in the Add request, the DC returns error unwillingToPerform / <unrestricted>); the value (a 32-bit unsigned integer in the subrange [0x80000000..0xBFFFFFFF]) is generated by the DC. Present on attributeSchema objects added when forest functional level is DS_BEHAVIOR_WIN2003 or greater with FLAG_SCHEMA_BASE_OBJECT not present in systemFlags (below). The value of msDS-IntId is the ATTRTYP of this attributeSchema object. Unique among all values of this attribute on objects in the schema NC, regardless of forest functional level. System-only.

     

    [MS-DRSR] 5.15 AttrtypFromSchemaObj

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/523b2d97-9b27-407a-8856-6a2779466701

     procedure AttrtypFromSchemaObj(o: DSName): ATTRTYP

    Given the dsname o of an attributeSchema or classSchema object, the AttrtypFromSchemaObj procedure returns the ATTRTYP that identifies this schema object on this DC.

     if o!msDS-IntId ≠ null then
       return o!msDS-IntId
     endif
     if attributeSchema in o!objectClass then
       return MakeAttid(dc.prefixTable, o!attributeID)
     else
       return MakeAttid(dc.prefixTable, o!governsID)
     endif

     

    Thanks,

    Edgar

    • Marked as answer by vletoux2 Thursday, March 28, 2019 8:48 AM
    Thursday, March 28, 2019 5:19 AM
    Moderator

All replies

  • Hi Vincent,

    Thank you for your question.  An engineer from the protocols team will contact you soon.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Wednesday, March 13, 2019 5:51 PM
    Moderator
  • Hello Vincent,

    I will take a look and get back to you.

    Thanks,

    Edgar

    Wednesday, March 13, 2019 6:26 PM
    Moderator
  • I looked at raw replication data.

    Here is the value sent for a LAPS attribute

    You can see that the attrTyp (0x8a36d59b) cannot be matched with the prefix table, showed below.

    Note: as a reminder, the last entry of the prefix table is the dSASignature

    Prefix : 0
    55 04
    Prefix : 1
    55 06
    Prefix : 2
    2A 86 48 86 F7 14 01 02
    Prefix : 3
    2A 86 48 86 F7 14 01 03
    Prefix : 4
    60 86 48 01 65 02 02 01
    Prefix : 5
    60 86 48 01 65 02 02 03
    Prefix : 6
    60 86 48 01 65 02 01 05
    Prefix : 7
    60 86 48 01 65 02 01 04
    Prefix : 8
    55 05
    Prefix : 9
    2A 86 48 86 F7 14 01 04
    Prefix : 10
    2A 86 48 86 F7 14 01 05
    Prefix : 19
    09 92 26 89 93 F2 2C 64
    Prefix : 20
    60 86 48 01 86 F8 42 03
    Prefix : 21
    09 92 26 89 93 F2 2C 64 01
    Prefix : 22
    60 86 48 01 86 F8 42 03 01
    Prefix : 23
    2A 86 48 86 F7 14 01 05 B6 58
    Prefix : 24
    55 15
    Prefix : 25
    55 12
    Prefix : 26
    55 14
    Prefix : 11
    2A 86 48 86 F7 14 01 04 82 04
    Prefix : 12
    2A 86 48 86 F7 14 01 05 38
    Prefix : 13
    2A 86 48 86 F7 14 01 04 82 06
    Prefix : 14
    2A 86 48 86 F7 14 01 05 39
    Prefix : 15
    2A 86 48 86 F7 14 01 04 82 07
    Prefix : 16
    2A 86 48 86 F7 14 01 05 3A
    Prefix : 17
    2A 86 48 86 F7 14 01 05 49
    Prefix : 18
    2A 86 48 86 F7 14 01 04 82 31
    Prefix : 27
    2B 06 01 04 01 8B 3A 65 77
    Prefix : 28
    60 86 48 01 86 F8 42 03 02
    Prefix : 29
    2B 06 01 04 01 81 7A 01
    Prefix : 30
    2A 86 48 86 F7 0D 01 09
    Prefix : 31
    09 92 26 89 93 F2 2C 64 04
    Prefix : 32
    2A 86 48 86 F7 14 01 06 17
    Prefix : 33
    2A 86 48 86 F7 14 01 06 12 01
    Prefix : 34
    2A 86 48 86 F7 14 01 06 12 02
    Prefix : 35
    2A 86 48 86 F7 14 01 06 0D 03
    Prefix : 36
    2A 86 48 86 F7 14 01 06 0D 04
    Prefix : 37
    2B 06 01 01 01 01
    Prefix : 38
    2B 06 01 01 01 02
    Prefix : 18467
    2A 86 48 86 F7 14 01 BE 40 93 7A 83 87 03 82 E7 1C 81 DB 50 81 93 57 82 98 3F 83
     98 83 2F CA E1 4B 02
    Prefix : 0
    FF 00 00 00 03 AB 8A F5 B7 E1 EA 9D 41 8A CF FD 46 F6 24 CD 9E

    Saturday, March 23, 2019 11:07 AM
  • It's taking a little longer to investigate. Because LAPS-related attributes are added by extending the schema, they are not part of the default schema with pre-generated data that I can validate against. What I have noticed so far is that the OID conversion to ATTID routines are the same for all attributes.

    I'll keep you updated.

    Thanks,

    Edgar

    Sunday, March 24, 2019 4:48 AM
    Moderator
  • Vincent,

    Thank you so much for sharing this replication data. Without debugging info, it’s a bit difficult to comment on attrTyp (0x8a36d59b) you have displayed.

    The good news is that your raw replication data includes a prefix that matches the prefix string of the LAPS-related attributes. If you need to discuss further about this, please send an email to dochelp < at > Microsoft < dot > com.

    Based on the Prefix Table data, you can derive the ATTRTYP using the prefix index corresponding the matched prefix string.

    When we do ASN.1 encoding of the LAPS-related OIDs (see breakdown below), we find out that the prefix is:

    Prefix String = 2A864886F71401BE40937A83870382E71C81DB5081935782983F8398832FCAE14B02 (\x omitted for brevity)

    This prefix matches one entry from the Prefix table you provided from raw replication data.

    Prefix Index: 18467

    2A 86 48 86 F7 14 01 BE 40 93 7A 83 87 03 82 E7 1C 81 DB 50 81 93 57 82 98 3F 83 98 83 2F CA E1 4B 02

    This makes me conclude that ATTRTYP should be the following:

    ms-MCS-AdmPwd

    1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1

    AttrTyp: 0x48230001

    ms-MCS-AdmPwdExpirationTime

    1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2

    AttrTyp: 0x48230002

    ms-MCS-AdmPwdHistory

    1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.3

    AttrTyp: 0x48230003

     

    For the record, here is an example the OID encoding for one the attributes:

    1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1

    Encoded by following [ITU-X690 Section 8.19 Encoding of an object identifier value]

    OID’s Sub identifier value

    Subid Binary encoding

    Subid Hex encoding

    1.2

    40*1 + 2 => 0010 1010

    2A

    840

    1000 0110 0100 1000

    8648

    113556

    1000 0110 1111 0111 0001 0100

    86F714

    1

    0000 0001

    01

    8000

    1011 1110 0100 0000

    BE40

    2554

    1001 0011 0111 1010

    937A

    50051

    1000 0011 1000 0111 0000 0011

    838703

    45980

    1000 0010 1110 0111 0001 1100

    82E71C

    28112

    1000 0001 1101 1011 0101 0000

    81DB50

    18903

    1000 0001 1001 0011 0101 0111

    819357

    35903

    1000 0010 1001 1000 0011 1111

    82983F

    6685103

    1000 0011 1001 1000 1000 0011 0010 1111

    8398832F

    1224907

    1100 1010 1110 0001 0100 1011

    CAE14B

    2

    0000 0010

    02

    1

    0000 0001

    01

     

    Thanks,

    Edgar

    Wednesday, March 27, 2019 4:29 AM
    Moderator
  • Hi Edgar,

    Of couse, I agree with you of what the expected values are.

    (we both spent a lot of time in debugging replication processes ...)

    But you can see that the attribute id (0x8a36d59b) used on the wire doesn't match the expected one: 0x48230001.

    Note: A quick way to get internal ATTID is to run ldp.exe -> replication which displays the internal ATTID.

    In each example I was looking for, the ATTID doesn't seem to follow a logic. All of MC-MCS-AdmPwd*  attributes should end with 0001 or 0002 when encoded. And this is not the case.

    The image https://social.msdn.microsoft.com/Forums/getfile/1419156 shows cleary the ATTID used on the wire.

    Vincent

    Wednesday, March 27, 2019 1:05 PM
  • Vincent,

    Upon further investigation, it appears the number 0x8a36df9b you are observing is the msDS-IntId, which is not the same as the attributeID. The attributeID encodes an OID into a numeric value. Although the internal msDS-IntId is also a numeric value, it is NOT explicitly an encoded OID. 

    The attributeID (i.e. the encoded OID) and the msDS-IntId values are essentially the same for an attribute in the base schema. They are different for non-base schema attributes, where the msDS-IntId is essentially a randomly assigned number in the range as described.

    The AttrTyp is used in the replication metadata, and its value is explained by [MS-DRSR] AttrtypFromSchemaObj. 

     

    [MS-ADTS] 3.1.1.2.6 ATTRTYP

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/98b55783-7029-4a04-8f8b-9df9344089c3

    Any OID-valued quantity stored on an object is stored as an ATTRTYP ([MS-DRSR] section 5.14), a 32-bit unsigned integer. The ATTRTYP space is 32 bits wide and is divided into the following ranges.

    Range

    Description

    [0x00000000..0x7FFFFFFF]

    ATTRTYPs that map to OIDs via the prefix table.

    [0x80000000..0xBFFFFFFF]

    ATTRTYPs used as values of msDS-IntId attribute.

    [0xC0000000..0xFFFEFFFF]

    Reserved for future use.

    [0xFFFF0000.. 0xFFFFFFFF]

    Reserved for internal use (never appear on the wire).

    The mapping from ATTRTYPs A to OID O works as follows:

    • If A in [0x00000000..0x7FFFFFFF], A maps to O via a prefix table as specified in [MS-DRSR] section 5.16.4 (the OidFromAttid procedure).
    • If A in [0x80000000..0xBFFFFFFF], let X be the object such that X!msDS-IntId equals A. If X is an attributeSchema object, O is X!attributeID; otherwise X is an classSchema object, and O is X!governsID.

    Given an OID O, the schema object X representing the class or attribute identified by O is the object X such that either X!attributeID equals O or X!governsID equals O.

     

    [MS-ADTS] 3.1.1.2.3 Attributes

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/cf133d47-b358-4add-81d3-15ea1cff9cd9

    attributeID

    "Unique" OID that identifies this attribute. System-only.

    msDS-IntId

    Not specified on Add (if specified in the Add request, the DC returns error unwillingToPerform / <unrestricted>); the value (a 32-bit unsigned integer in the subrange [0x80000000..0xBFFFFFFF]) is generated by the DC. Present on attributeSchema objects added when forest functional level is DS_BEHAVIOR_WIN2003 or greater with FLAG_SCHEMA_BASE_OBJECT not present in systemFlags (below). The value of msDS-IntId is the ATTRTYP of this attributeSchema object. Unique among all values of this attribute on objects in the schema NC, regardless of forest functional level. System-only.

     

    [MS-DRSR] 5.15 AttrtypFromSchemaObj

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/523b2d97-9b27-407a-8856-6a2779466701

     procedure AttrtypFromSchemaObj(o: DSName): ATTRTYP

    Given the dsname o of an attributeSchema or classSchema object, the AttrtypFromSchemaObj procedure returns the ATTRTYP that identifies this schema object on this DC.

     if o!msDS-IntId ≠ null then
       return o!msDS-IntId
     endif
     if attributeSchema in o!objectClass then
       return MakeAttid(dc.prefixTable, o!attributeID)
     else
       return MakeAttid(dc.prefixTable, o!governsID)
     endif

     

    Thanks,

    Edgar

    • Marked as answer by vletoux2 Thursday, March 28, 2019 8:48 AM
    Thursday, March 28, 2019 5:19 AM
    Moderator
  • I'm impressed by your answer.

    Vincent

    Thursday, March 28, 2019 8:49 AM