How do you remove duplicate SID's when ntdsutil can't find them?
Trying to do a clean install of Exchange 2013 (old Exchange 2003 crashed and not recoverable).  3 DC's.  The Master is running Server 2008 R2 and the other 2 are running 2003 R2.  The new Exchange Server is running Server 2012.

When installing Exchange 2013 /prepareschema ran fine.  When trying /prepareAD it always ends with this error:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.NOUVEAUEYEWEAR>g:\setup.exe /prepareAD /OrganizationName:
Nouveau /IAcceptExchangeServerLicenseTerms

Welcome to Microsoft Exchange Server 2013 Service Pack 1 Unattended Setup
Copying Files...
File copy complete. Setup will now collect additional information needed for
installation.

Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis                                     COMPLETED
 Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareA
D'. No Exchange 2007 server roles have been detected in this topology. After thi
s operation, you will not be able to install any Exchange 2007 servers.
 For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms
.exch.setupreadiness.NoE12ServerWarning.aspx

 Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareA
D'. No Exchange 2010 server roles have been detected in this topology. After thi
s operation, you will not be able to install any Exchange 2010 servers.
 For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms
.exch.setupreadiness.NoE14ServerWarning.aspx


Configuring Microsoft Exchange Server

    Organization Preparation                                  FAILED
     The following error was generated when "$error.Clear();
          $createTenantRoot = ($RoleIsDatacenter -or $RoleIsPartnerHosted);
          $createMsoSyncRoot = $RoleIsDatacenter;

          #$RoleDatacenterIsManagementForest is set only in Datacenter deploymen
t; interpret its absense as $false
          [bool]$isManagementForest = ($RoleDatacenterIsManagementForest -eq $tr
ue);

          if ($RolePrepareAllDomains)
          {
              initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$
createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isMa
nagementForest;
          }
          elseif ($RoleDomain -ne $null)
          {
              initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot
:$createTenantRoot -CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$is
ManagementForest;
          }
          else
          {
              initialize-DomainPermissions -CreateTenantRoot:$createTenantRoot -
CreateMsoSyncRoot:$createMsoSyncRoot -IsManagementForest:$isManagementForest;
          }
        " was run: "Multiple objects with Sid S-1-5-21-1409082233-329068152-8395
22115-513 were found.".


The Exchange Server setup operation didn't complete. More details can be found
in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.


The SID belongs to the Domain Users Group .
NOUVEAUEYEWEAR  Domain Users                                    S-1-5-21-1409082233-329068152-839522115-513

NTDSUtil check duplicate SID finds nothing.

LDP.exe only finds the Domain Users.

Anyone have any help on this?
June 10th, 2014 8:34pm

Check if you can find the SID on multiple objects using this...

Get-ADObject -filter * -Properties objectsid| Select name,objectsid,DistinguishedName | export-csv sids.csv
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2014 9:35pm

You might need to install AD module for Powershell first and import it to run above cmdlet...

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory


June 10th, 2014 9:39pm
That still only returns the Domain Users Group as the owner of that SID.
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2014 9:58pm
Do you see anything unusual in ExBPA?
June 10th, 2014 10:31pm

I haven't ran that.  Is it available on the cd or will I need to download it?

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2014 10:42pm

Ah nevermind, you said your Exchange 2003 is crashed and never recovered and there isn't any Exchange in the environment currently... 

Do you still see the server object in ADSIEdit for old Exchange 2003? Wondering if this is something related to that...

June 10th, 2014 10:54pm

There are some lingering remnants but the SID doesn't match.  My thought moving forward is to create a Temporary Domain and migrate the AD using ADMT.  Hopefully this will clean up any garbage and then I will migrate back to the original.

I'd sure like to figure out how to solve the dup SID first though.  There has got to be something I'm missing.

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2014 11:00pm

I did a search of the registry on all my DCs.  All 3 had these entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-1409082233-329068152-839522115-500\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

HKUSERS\S-1-5-21-1409082233-329068152-839522115-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

The Master had this added entry (Im assuming because it is 64bit OS)

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-1409082233-329068152-839522115-500\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

One DC had this extra entry which I think may be the issue:

HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-1409082233-329068152-839522115-1492\Group Membership\Group0 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

The new exchange returned the same results as the Master DC but Group9 instead of Group12.

I removed the extra entry on the one DC and tweaked the Exchange Server to match the Master Registry with no success.

Using ADSIedit I manually removed Exchange objects from  CN=Configuration and CN=Default Naming Context

This is the last thing that runs in the /prepareAD setup:

[06/11/2014 15:45:55.0803] [2] Used domain controller NOU08DC.nouveaueyewear.com to read object CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=nouveaueyewear,DC=com.

This is in the AD Schema.   Also Ive noticed the timestamp in the log generated is a few hours off.  The above example was run 15 minutes ago.


  • Edited by TheDude_68 Wednesday, June 11, 2014 6:05 PM Addtl info
June 11th, 2014 5:03pm

I did a search of the registry on all my DCs.  All 3 had these entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-1409082233-329068152-839522115-500\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

HKUSERS\S-1-5-21-1409082233-329068152-839522115-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

The Master had this added entry (Im assuming because it is 64bit OS)

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-1409082233-329068152-839522115-500\GroupMemebership\Group12 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

One DC had this extra entry which I think may be the issue:

HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-1409082233-329068152-839522115-1492\Group Membership\Group0 REG_SZ S-1-5-21-1409082233-329068152-839522115-513

The new exchange returned the same results as the Master DC but Group9 instead of Group12.

I removed the extra entry on the one DC and tweaked the Exchange Server to match the Master Registry with no success.

Using ADSIedit I manually removed Exchange objects from  CN=Configuration and CN=Default Naming Context

This is the last thing that runs in the /prepareAD setup:

[06/11/2014 15:45:55.0803] [2] Used domain controller NOU08DC.nouveaueyewear.com to read object CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=nouveaueyewear,DC=com.

This is in the AD Schema.   Also Ive noticed the timestamp in the log generated is a few hours off.  The above example was run 15 minutes ago.


  • Edited by TheDude_68 Wednesday, June 11, 2014 6:05 PM Addtl info
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2014 5:03pm
Question:   Can I delete all MS Exch items from the AD Schema?  It seems like this is what is causing the issue. 
June 11th, 2014 9:09pm

I'm marking this closed since it can't be fixed.  Moving on.  Thanks for the help everyone!!

Cheers.

  • Marked as answer by TheDude_68 10 hours 58 minutes ago
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2014 8:04pm

I'm marking this closed since it can't be fixed.  Moving on.  Thanks for the help everyone!!

Cheers.

  • Marked as answer by TheDude_68 Saturday, June 14, 2014 11:54 PM
June 15th, 2014 2:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics