randy915
asked on
Cannot create user in domain - The requested object has a non-unique identifier and cannot be retrieved
We recently tried to decommission an SBS 2003 to split the Exchange and Win 2003 into 2 separate machines. We thought everything went smoothly until we tried to create a new user, an error comes up:
" Windows cannot set the password for (account name) because:
The requested object has a non-unique identifier and cannot be retrieved. "
...after I press OK, another box pops up complaining:
" Windows cannot remove the newly created object automatically. Remove it manually or contact your system administrator. "
In Event Viewer under SYSTEM, I see 2x "Source: SAM, Event ID: 12293" with the same time stamp:
#1:
" There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users
#2:
" There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Tester Account,OU=SBSUsers,OU=Use
I ran NTDSUTIL's SID cleanup and the log has 0 entries meaning nothing to delete?
Please help!
" Windows cannot set the password for (account name) because:
The requested object has a non-unique identifier and cannot be retrieved. "
...after I press OK, another box pops up complaining:
" Windows cannot remove the newly created object automatically. Remove it manually or contact your system administrator. "
In Event Viewer under SYSTEM, I see 2x "Source: SAM, Event ID: 12293" with the same time stamp:
#1:
" There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users
#2:
" There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Tester Account,OU=SBSUsers,OU=Use
I ran NTDSUTIL's SID cleanup and the log has 0 entries meaning nothing to delete?
Please help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure if I'm doing this correctly but I go to View | Tree, BaseDN: DC=primarydc,DC=com, then I highlight the tree, press CTRL-S to search. Paste in the fully qualified parameters e.g.:
CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users
Select SubTree and click Run.
Nothing found. Am I doing this wrong? Thanks for your help BTW.
CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users
Select SubTree and click Run.
Nothing found. Am I doing this wrong? Thanks for your help BTW.
You're not doing anything wrong that I can see. Have you tried browsing down through the tree?
Also, you mentioned that you can't remove a domain controller. You can delete the computer account object from the Domain Controllers OU using either of these tools. Perhaps you do that first, and get rid of that problem and it could have an impact on this problem.
<-=+=->
Also, you mentioned that you can't remove a domain controller. You can delete the computer account object from the Domain Controllers OU using either of these tools. Perhaps you do that first, and get rid of that problem and it could have an impact on this problem.
<-=+=->
ASKER
OK so I was able to remove SBS2003 off the DC list but now I realize something strange is going on. I tried creating another account but now the event viewer is reporting that Team Foundation Server Reports account is removed and when I pressed F5 inside AD Users and Computers, that account indeed disappeared. Same error BTW.
I created another account, now a new account is deleted:
The Distinguished Name of the account is CN=sbsmonacct\0ADEL:be43f8
Once more:
The Distinguished Name of the account is CN=sbsmonacct\0ADEL:006c86
Are accounts and objects being deleted every time I do this? Now I'm starting to worry...
I created another account, now a new account is deleted:
The Distinguished Name of the account is CN=sbsmonacct\0ADEL:be43f8
Once more:
The Distinguished Name of the account is CN=sbsmonacct\0ADEL:006c86
Are accounts and objects being deleted every time I do this? Now I'm starting to worry...
You mean you weren't worried before? ;-)
You see how the account names have the funky 0ADEL: with a big long Hex number after them? Those were duplicate accounts. There should still be an account in there called sbsmonacct.
So, after rebooting and everything, you're still getting the same error? Are you still unable to create an account?
<-=+=->
You see how the account names have the funky 0ADEL: with a big long Hex number after them? Those were duplicate accounts. There should still be an account in there called sbsmonacct.
So, after rebooting and everything, you're still getting the same error? Are you still unable to create an account?
<-=+=->
ASKER
Yeah still same problem. I'm going to call Microsoft and open a ticket, will update you, thanks.
That was actually what I was going to recommend you do. Sorry about that. On the bright side, though, their tech support is top notch.
Let me know how it goes.
<-=+=->
Let me know how it goes.
<-=+=->
ASKER
OK, after 5 hours on the phone it's fixed. BTW, as a side note, the problematic primary DC was a VMware image. Although I don't think it was the cause of the problem, they were hesistant to continue troubleshooting because it's "unsupported"; the only reason why they continued was because I had no other DCs and I absolutely cannot lose this domain.
With that said... Apparently one of the main problems was a corrupt DNS. So after failing to even join any servers to the domain, I was forced to DCPROMO an existing member server, obtain the DNS records, seize FSMO, GC and operation master roles. For future reference, there were a lot of dirty entries from the old SBS DC so the DNS entries in all the various subfolders had to be cleaned up. Also, 127.0.0.1 cannot be used as the TCP/IP DNS IP even if the DC is pointing to itself for DNS, its actual IP must be used.
So after all that, we joined one more physical box to the domain, DCPROMO that as a secondary DC with DNS server in replication, demote the VMware image, uninstalled DNS and disjoined from domain.
Thanks for your help SplinterCell!
BTW, your solutions would be correct under normal situation... ^^
With that said... Apparently one of the main problems was a corrupt DNS. So after failing to even join any servers to the domain, I was forced to DCPROMO an existing member server, obtain the DNS records, seize FSMO, GC and operation master roles. For future reference, there were a lot of dirty entries from the old SBS DC so the DNS entries in all the various subfolders had to be cleaned up. Also, 127.0.0.1 cannot be used as the TCP/IP DNS IP even if the DC is pointing to itself for DNS, its actual IP must be used.
So after all that, we joined one more physical box to the domain, DCPROMO that as a secondary DC with DNS server in replication, demote the VMware image, uninstalled DNS and disjoined from domain.
Thanks for your help SplinterCell!
BTW, your solutions would be correct under normal situation... ^^
Thank you for your kind words about my solution; it always helps the ol' ego!
Glad it worked out!
<-=+=->
Glad it worked out!
<-=+=->
ASKER