none
[MS-DRSR] Potential incorrect example RRS feed

  • Question

  • Hello,

    I'm referring to the Add example of GetNCChange located in 4.1.10.7.3 of MS-DRSR.
    Indeed this example is about an object created in a DC and replicated in another.

    In the server answer, there is no mention of the "ObjectSid" attribute whose value is referenced in 4.1.10.7.1.
    Indeed, the RID (last autority of the sid) is needed to encrypt/decrypt the property dBCSPwd, unicodePwd, ntPwdHistory so the target DC should know the ObjectSid of a user account.

    The pNC property of the server response is of type DSNAME which contains the SID of the object. So it can be objected that this property is not present with the other attributes because it is part of the pNC property.

    But when I trigger a replication with an existing object (not a "creation" like in this example - i'm trying to create an object), I see the objectSid attribute replicated (not only in pNC). Proof: its encoded attribute is 589970.

    More over I did not see in MS-ADTS nor in MS-DRSR a special processing related to ObjectSid.

    Question: is this example accurate ?

    regards,

    Vincent LE TOUX

    Saturday, January 13, 2018 5:26 PM

Answers

  • Vincent,

    Your observation is correct, as reflected in MS-ADTS 3.1.1.5.2.4 Processing Specifics: objectSid is part of the Add replication. So are other attributes too.

    The example in MS-DRSR 4.1.10.7.3 is an edited example. It does not include all the attributes. For instance you will notice that ObjectSid, parentGUID, lmPwdHistory, and userAccountControl are not listed. This is certainly done for brevity.

    Per source code research and testing, I did not observe any trimming of attributes for an Add change update.

    Please send a message to dochelp < at > Microsoft ( dot ) com. Please address the message to my attention and mention this thread.

    Thanks,

    Edgar


    Tuesday, January 16, 2018 11:15 PM
    Moderator
  • We work with Vincent offline and here is the closing summary:

    The reason of this ERROR_DS_DRA_SCHEMA_MISMATCH error is due to the processing of DRA_ReplicaAdd whereby the server failed to find mapping in the prefix table for all ATTRTYPs to the corresponding local values. Specifically, it’s not finding a match to map the attribute with ndx = 0x000a. The ndx is the first 16 bits of the ATTRTYP value.

    Thanks,

    Edgar

    Saturday, February 3, 2018 6:20 AM
    Moderator

All replies

  • Hello Vincent LE TOUX,
    Thank you for your inquiry about Microsoft Open Specifications. We have created an incident for investigating this issue. One of the Open specifications team member will contact you shortly.
     
     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Saturday, January 13, 2018 5:50 PM
    Moderator
  • I finally found a reference in MS-ADTS about the processing of ObjectSid

    Quoting  MS-ADTS 3.1.1.5.2.4 Processing Specifics:

    "In AD DS, if the object is a security principal (according to its objectClass values), then for originating updates the objectSid value is generated and set on the object (see [MS-SAMR] sections 3.1.1.6 and 3.1.1.9). For replicated updates, the received objectSid is set on the object."

    My interpretation is that objectSid is mandatory for replicated updates on user accounts so the example is incorrect.

    --

    Note: I'm trying to debug a 8418 error (schema mismatch error) resulting in an 1173 event:

    Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
     
    Exception:
    e0010002
    Parameter:
    0
     
    Additional Data
    Error value:
    8418
    Internal ID:
    10819c8

    Vincent

    Saturday, January 13, 2018 9:21 PM
  • I made a test with a far simplier object: a contact. There is only 6 properties returned by GetNCChanges

    • 20001 => instanceId
    • 20119 => nTSecurityDescriptor
    • 9030e => objectCategory
    • 0 => objectClass
    • 90001 => name
    • 20002 => whenCreated

    You can see that:

    • whenChanged is not returned (maybe implicit with whenCreated for objects created)
    • objectGuid is not returned

    OK, objectGuid can be returned by pNC but there is a logic about objectSid / objectGuid which I cannot find in the documentation.

    Sunday, January 14, 2018 9:20 AM
  • Maybe MS-DRSR 4.1.1.2.10 PerformModifyEntInf can be a hint

    "The objectGUID and objectSid of the object being modified are returned in the info output structure. "

    (but the phrase is not very clear and the initial example still incorrect)

    Monday, January 15, 2018 1:27 PM
  • Hello Vincent,

    Thank you for the information. I will be reviewing this and follow-up with you as soon as I have an update.

    Regards,

    Edgar

    Tuesday, January 16, 2018 4:25 AM
    Moderator
  • Vincent,

    Your observation is correct, as reflected in MS-ADTS 3.1.1.5.2.4 Processing Specifics: objectSid is part of the Add replication. So are other attributes too.

    The example in MS-DRSR 4.1.10.7.3 is an edited example. It does not include all the attributes. For instance you will notice that ObjectSid, parentGUID, lmPwdHistory, and userAccountControl are not listed. This is certainly done for brevity.

    Per source code research and testing, I did not observe any trimming of attributes for an Add change update.

    Please send a message to dochelp < at > Microsoft ( dot ) com. Please address the message to my attention and mention this thread.

    Thanks,

    Edgar


    Tuesday, January 16, 2018 11:15 PM
    Moderator
  • We work with Vincent offline and here is the closing summary:

    The reason of this ERROR_DS_DRA_SCHEMA_MISMATCH error is due to the processing of DRA_ReplicaAdd whereby the server failed to find mapping in the prefix table for all ATTRTYPs to the corresponding local values. Specifically, it’s not finding a match to map the attribute with ndx = 0x000a. The ndx is the first 16 bits of the ATTRTYP value.

    Thanks,

    Edgar

    Saturday, February 3, 2018 6:20 AM
    Moderator
  • Based on the work with Edgar, here the inconsistencies found in the example:

    1. the objectGuid is not pushed in pObjects but in pNC (with the objectSid)
    2. pParentGuid of the pObjects is set (not null)
    3. nTSecurityDescriptor is the binary encoding of SD. Beware that many software (including ADExplorer) does not show the Owner part of the security descriptor when viewing an object (which is mandatory when setting one SD).

    Thanks

    Vincent

    Saturday, February 3, 2018 7:54 AM