Cannot create user in domain - The requested object has a non-unique identifier and cannot be retrieved

We recently tried to decommission an SBS 2003 to split the Exchange and Win 2003 into 2 separate machines.  We thought everything went smoothly until we tried to create a new user, an error comes up:

" Windows cannot set the password for (account name) because:
The requested object has a non-unique identifier and cannot be retrieved. "

...after I press OK, another box pops up complaining:

" Windows cannot remove the newly created object automatically.  Remove it manually or contact your system administrator. "

In Event Viewer under SYSTEM, I see 2x "Source: SAM, Event ID: 12293" with the same time stamp:
#1:
"  There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com. All duplicate  accounts have been deleted. Check the event log for additional duplicates.  "

#2:
" There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Tester Account,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com. All duplicate  accounts have been deleted. Check the event log for additional duplicates. "

I ran NTDSUTIL's SID cleanup and the log has 0 entries meaning nothing to delete?

Please help!
LVL 1
randy915Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Joseph HornseyConnect With a Mentor President and JanitorCommented:
You may need to go in and find and delete the objects yourself.  To do this, install the Windows Support Tools (in the \Support\Tools folder on the installation CD).  Then, open a Management Console (Start | Run | Type "mmc" and hit Enter) and then add the snap-in (press Control+M and then click on "Add") for ADSI Edit (which should be on the list).

Once you're in ADSI Edit, you'll need to connect to the domain controller (right-click on "ADSI Edit" and select "Connect to...") and set the Connection Point to Domain (should be the default).  Then, browse through the domain objects until you find the objects listed above.  You can then delete them manually.

The key to finding those objects is to read them right-to-left.  So, for the following path:
CN=Tester Account,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com
Browse through ADSI as follows:
DC=domain,DC=com
 |_OU=MyBusiness
     |_OU=Users
         |_OU=SBSUsers
In the SBSUsers OU, you should find the user.

Hope that helps!
<-=+=->
0
 
randy915Author Commented:
I don't see Tester or Team Foundation Server Setup under SBSUsers.  The list of objects in ADSIEDIT is the same as in my AD Users and Computers.  When I try creating any account with any name, I get this error.  In fact I can't even remove my SBS off the DC list even though GC, FSMO, operational master roles have been transfered to the Win 2003.  But that's separate issue...
0
 
Joseph HornseyConnect With a Mentor President and JanitorCommented:
Interesting.  Let's see if you can find it using a more basic tool.  Once you installed the Windows Support Tools, it created a program group in your All Programs folder on the Start menu.  Go there and select the Command Prompt.

At the command prompt, type "ldp" and hit enter.  This launches LDP, a very basic LDAP client.

On the Connection menu, select "Connect..." and put in the name of your domain controller and click OK.  Then, go to the Connection menu and select "Bind".  Type in your username and password and domain name and click OK.

Once you've done this, go to the View menu and select "Tree".  Hit the drop-down menu and that will give you the different trees you can view.  Start with the domain and see if you can find the user object through this utility.

<-=+=->
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
randy915Author Commented:
Not sure if I'm doing this correctly but I go to View | Tree, BaseDN: DC=primarydc,DC=com, then I highlight the tree, press CTRL-S to search.  Paste in the fully qualified parameters e.g.:
CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com
Select SubTree and click Run.

Nothing found.  Am I doing this wrong?  Thanks for your help BTW.
0
 
Joseph HornseyPresident and JanitorCommented:
You're not doing anything wrong that I can see.  Have you tried browsing down through the tree?

Also, you  mentioned that you can't remove a domain controller.  You can delete the computer account object from the Domain Controllers OU using either of these tools.  Perhaps you do that first, and get rid of that problem and it could have an impact on this problem.

<-=+=->
0
 
randy915Author Commented:
OK so I was able to remove SBS2003 off the DC list but now I realize something strange is going on.  I tried creating another account but now the event viewer is reporting that Team Foundation Server Reports account is removed and when I pressed F5 inside AD Users and Computers, that account indeed disappeared.  Same error BTW.

I created another account, now a new account is deleted:
The Distinguished Name of the account is CN=sbsmonacct\0ADEL:be43f8e4-9c8b-41b1-911b-e6995b902039,CN=Deleted Objects,DC=domain,DC=com

Once more:
The Distinguished Name of the account is CN=sbsmonacct\0ADEL:006c8603-fb71-441d-b44d-9e42542cc693,CN=Deleted Objects,DC=domain,DC=com

Are accounts and objects being deleted every time I do this?  Now I'm starting to worry...
0
 
Joseph HornseyPresident and JanitorCommented:
You mean you weren't worried before?  ;-)

You see how the account names have the funky 0ADEL: with a big long Hex number after them?  Those were duplicate accounts.  There should still be an account in there called sbsmonacct.

So, after rebooting and everything, you're still getting the same error?  Are you still unable to create an account?

<-=+=->
0
 
randy915Author Commented:
Yeah still same problem.  I'm going to call Microsoft and open a ticket, will update you, thanks.
0
 
Joseph HornseyPresident and JanitorCommented:
That was actually what I was going to recommend you do.  Sorry about that.  On the bright side, though, their tech support is top notch.

Let me know how it goes.

<-=+=->
0
 
randy915Author Commented:
OK, after 5 hours on the phone it's fixed.  BTW, as a side note, the problematic primary DC was a VMware image.  Although I don't think it was the cause of the problem, they were hesistant to continue troubleshooting because it's "unsupported"; the only reason why they continued was because I had no other DCs and I absolutely cannot lose this domain.

With that said...  Apparently one of the main problems was a corrupt DNS.  So after failing to even join any servers to the domain, I was forced to DCPROMO an existing member server, obtain the DNS records, seize FSMO, GC and operation master roles.  For future reference, there were a lot of dirty entries from the old SBS DC so the DNS entries in all the various subfolders had to be cleaned up.  Also, 127.0.0.1 cannot be used as the TCP/IP DNS IP even if the DC is pointing to itself for DNS, its actual IP must be used.

So after all that, we joined one more physical box to the domain, DCPROMO that as a secondary DC with DNS server in replication, demote the VMware image, uninstalled DNS and disjoined from domain.

Thanks for your help SplinterCell!

BTW, your solutions would be correct under normal situation...  ^^
0
 
Joseph HornseyPresident and JanitorCommented:
Thank you for your kind words about my solution; it always helps the ol' ego!

Glad it worked out!

<-=+=->
0
All Courses

From novice to tech pro — start learning today.