Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Duplicate SIDs and Tombstoned Objects
Prev Next
You are not authorized to post a reply.

AuthorMessages
eis_listsUser is Offline

Posts:48

04/23/2010 7:32 PM  
Hello:

We have several computer and user objects that were mysteriously deleted by the Anonymous accont. All the deletions happened on the same DC and never on any other DCs. The objects show up in the tombstone items list. We would like to restore these objects.

When we restore them (using ADRestore), they show up for about 30 seconds and then disappear again. Our hunch is that they are conflicting with the original object. In most cases, we think this is a user account was deleted and is conflicting with a computer account SID. We don't care too much about the computer account but would really like the user account back. Is there a way to "swap" these? Is there a way to (yikes) edit the SID of the computer account so that it will not conflict when we restore the user account?

Thanks,

- Noah


bdesmondUser is Offline

Posts:977

04/23/2010 7:34 PM  
You can simply look at the two tombstoned objects and compare the SIDs. What makes you think they're dupes?

Thanks,
Brian Desmond
brian@briandesmond.com

c   - 312.731.3132

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: Friday, April 23, 2010 1:31 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Hello:

We have several computer and user objects that were mysteriously deleted by the Anonymous accont. All the deletions happened on the same DC and never on any other DCs. The objects show up in the tombstone items list. We would like to restore these objects.

When we restore them (using ADRestore), they show up for about 30 seconds and then disappear again. Our hunch is that they are conflicting with the original object. In most cases, we think this is a user account was deleted and is conflicting with a computer account SID. We don't care too much about the computer account but would really like the user account back. Is there a way to "swap" these? Is there a way to (yikes) edit the SID of the computer account so that it will not conflict when we restore the user account?

Thanks,

- Noah




eis_listsUser is Offline

Posts:48

04/23/2010 8:22 PM  
It appears that actually both are in the deleted items. It seems that AD does not care if the item is deleted (tombstoned) or active. So maybe the question is: can we force something out of the deleted items before the tombstone expires?

-- nme

--- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com> wrote:

> From: Brian Desmond <brian@briandesmond.com>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
> Date: Friday, April 23, 2010, 11:32 AM
> You can simply look at the two
> tombstoned objects and compare the SIDs. What makes you
> think they're dupes?
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c   - 312.731.3132
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 1:31 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> Hello:
>
> We have several computer and user objects that were
> mysteriously deleted by the Anonymous accont. All the
> deletions happened on the same DC and never on any other
> DCs. The objects show up in the tombstone items list. We
> would like to restore these objects.
>
> When we restore them (using ADRestore), they show up for
> about 30 seconds and then disappear again. Our hunch is that
> they are conflicting with the original object. In most
> cases, we think this is a user account was deleted and is
> conflicting with a computer account SID. We don't care too
> much about the computer account but would really like the
> user account back. Is there a way to "swap" these? Is there
> a way to (yikes) edit the SID of the computer account so
> that it will not conflict when we restore the user account?
>
> Thanks,
>
> - Noah
>
>
>
>
>

listmailUser is Offline

Posts:822

04/23/2010 8:36 PM  
If an item is tombstoned, AdRestore will pull it out of tombstone status (so
will admod). Once out, it shouldn't automatically go back to tombstone
without something deleting it.

As Brian indicated, look at the tombstone object for the SID (you can use
adfind with -showdel) and then search AD for that SID to see if there is
something else with it. I highly doubt there is something else with the same
SID, but even if there were, I wouldn't expect AD to just pick one of the
objects and delete it.

joe

--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm



-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: Friday, April 23, 2010 3:21 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

It appears that actually both are in the deleted items. It seems that AD
does not care if the item is deleted (tombstoned) or active. So maybe the
question is: can we force something out of the deleted items before the
tombstone expires?

-- nme

--- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com> wrote:

> From: Brian Desmond <brian@briandesmond.com>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
> Date: Friday, April 23, 2010, 11:32 AM
> You can simply look at the two
> tombstoned objects and compare the SIDs. What makes you
> think they're dupes?
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c   - 312.731.3132
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 1:31 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> Hello:
>
> We have several computer and user objects that were
> mysteriously deleted by the Anonymous accont. All the
> deletions happened on the same DC and never on any other
> DCs. The objects show up in the tombstone items list. We
> would like to restore these objects.
>
> When we restore them (using ADRestore), they show up for
> about 30 seconds and then disappear again. Our hunch is that
> they are conflicting with the original object. In most
> cases, we think this is a user account was deleted and is
> conflicting with a computer account SID. We don't care too
> much about the computer account but would really like the
> user account back. Is there a way to "swap" these? Is there
> a way to (yikes) edit the SID of the computer account so
> that it will not conflict when we restore the user account?
>
> Thanks,
>
> - Noah
>
>
>
>
>


eis_listsUser is Offline

Posts:48

04/24/2010 2:03 AM  
Hi -

Thanks for the response. I wanted to make sure I was conveying this correctly so I went and tested this again. I did the following:

- Used ADRestore to kick out a list. Found a name we needed to recover in that list. Verified that the account was not active in AD (via ADUC).
- Used ADRestore to re-animate the user account. Said it succeeded, and I verified in ADUC. Account was present for over five minutes.
- Went to enable the account and got the following error: "Windows cannot enable the object User Name because: The requested object has a non-unique identifier and cannot be retrieved."
- The account then disappears from ADUC.
- In the System log on that DC there are two errors with matching timestamps (to the second).

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=User Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All duplicate accounts have been deleted. Check the event log for additional duplicates.


And
Event Type: Error
Event Source: SAM
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Other User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted Objects,DC=company,DC=local. All duplicate accounts have been deleted. Check the event log for additional duplicates.

Not sure what I am seeing. Any insights welcome.

Thanks,

-- nme

--- On Fri, 4/23/10, joe <listmail@joeware.net> wrote:

> From: joe <listmail@joeware.net>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: activedir@mail.activedir.org
> Date: Friday, April 23, 2010, 12:36 PM
> If an item is tombstoned, AdRestore
> will pull it out of tombstone status (so
> will admod). Once out, it shouldn't automatically go back
> to tombstone
> without something deleting it.
>
> As Brian indicated, look at the tombstone object for the
> SID (you can use
> adfind with -showdel) and then search AD for that SID to
> see if there is
> something else with it. I highly doubt there is something
> else with the same
> SID, but even if there were, I wouldn't expect AD to just
> pick one of the
> objects and delete it.
>
>   joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 3:21 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
>
> It appears that actually both are in the deleted items. It
> seems that AD
> does not care if the item is deleted (tombstoned) or
> active. So maybe the
> question is: can we force something out of the deleted
> items before the
> tombstone expires?
>
> -- nme
>
> --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> > From: Brian Desmond <brian@briandesmond.com>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: "activedir@mail.activedir.org"
> <activedir@mail.activedir.org>
> > Date: Friday, April 23, 2010, 11:32 AM
> > You can simply look at the two
> > tombstoned objects and compare the SIDs. What makes
> you
> > think they're dupes?
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c   - 312.731.3132
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: Friday, April 23, 2010 1:31 PM
> > To: activedir@mail.activedir.org
> > Subject: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> >
> > Hello:
> >
> > We have several computer and user objects that were
> > mysteriously deleted by the Anonymous accont. All the
> > deletions happened on the same DC and never on any
> other
> > DCs. The objects show up in the tombstone items list.
> We
> > would like to restore these objects.
> >
> > When we restore them (using ADRestore), they show up
> for
> > about 30 seconds and then disappear again. Our hunch
> is that
> > they are conflicting with the original object. In
> most
> > cases, we think this is a user account was deleted and
> is
> > conflicting with a computer account SID. We don't care
> too
> > much about the computer account but would really like
> the
> > user account back. Is there a way to "swap" these? Is
> there
> > a way to (yikes) edit the SID of the computer account
> so
> > that it will not conflict when we restore the user
> account?
> >
> > Thanks,
> >
> > - Noah
> >
> >
> >
> >
> >
>
>
>

bdesmondUser is Offline

Posts:977

04/24/2010 2:03 AM  
If it were me I'd let both of these accounts disappear and start fresh. Something bad happened here - you're going to prolong the lifetime of bad if you try and preserve it.

What you're seeing is definitely expected behavior (I just looked). If when AD gets asked to translate SID>NAME there is more than one hit, in the case of dupe SIDs both accounts are killed. In the case of dupe samAccountName values, for machines the newest account is retained (and the older one(s) killed) while for others (users, groups, etc) the oldest account is retained (and the newest one(s) killed).

Thanks,
Brian Desmond
brian@briandesmond.com

c   - 312.731.3132


-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: Friday, April 23, 2010 4:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Hi -

Thanks for the response. I wanted to make sure I was conveying this correctly so I went and tested this again. I did the following:

- Used ADRestore to kick out a list. Found a name we needed to recover in that list. Verified that the account was not active in AD (via ADUC).
- Used ADRestore to re-animate the user account. Said it succeeded, and I verified in ADUC. Account was present for over five minutes.
- Went to enable the account and got the following error: "Windows cannot enable the object User Name because: The requested object has a non-unique identifier and cannot be retrieved."
- The account then disappears from ADUC.
- In the System log on that DC there are two errors with matching timestamps (to the second).

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=User Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All duplicate accounts have been deleted. Check the event log for additional duplicates.


And
Event Type: Error
Event Source: SAM
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Other User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted Objects,DC=company,DC=local. All duplicate accounts have been deleted. Check the event log for additional duplicates.

Not sure what I am seeing. Any insights welcome.

Thanks,

-- nme

--- On Fri, 4/23/10, joe <listmail@joeware.net> wrote:

> From: joe <listmail@joeware.net>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: activedir@mail.activedir.org
> Date: Friday, April 23, 2010, 12:36 PM If an item is tombstoned,
> AdRestore will pull it out of tombstone status (so will admod). Once
> out, it shouldn't automatically go back to tombstone without something
> deleting it.
>
> As Brian indicated, look at the tombstone object for the SID (you can
> use adfind with -showdel) and then search AD for that SID to see if
> there is something else with it. I highly doubt there is something
> else with the same SID, but even if there were, I wouldn't expect AD
> to just pick one of the objects and delete it.
>
>   joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 3:21 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> It appears that actually both are in the deleted items. It seems that
> AD does not care if the item is deleted (tombstoned) or active. So
> maybe the question is: can we force something out of the deleted items
> before the tombstone expires?
>
> -- nme
>
> --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> > From: Brian Desmond <brian@briandesmond.com>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: "activedir@mail.activedir.org"
> <activedir@mail.activedir.org>
> > Date: Friday, April 23, 2010, 11:32 AM You can simply look at the
> > two tombstoned objects and compare the SIDs. What makes
> you
> > think they're dupes?
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c   - 312.731.3132
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: Friday, April 23, 2010 1:31 PM
> > To: activedir@mail.activedir.org
> > Subject: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> >
> > Hello:
> >
> > We have several computer and user objects that were mysteriously
> > deleted by the Anonymous accont. All the deletions happened on the
> > same DC and never on any
> other
> > DCs. The objects show up in the tombstone items list.
> We
> > would like to restore these objects.
> >
> > When we restore them (using ADRestore), they show up
> for
> > about 30 seconds and then disappear again. Our hunch
> is that
> > they are conflicting with the original object. In
> most
> > cases, we think this is a user account was deleted and
> is
> > conflicting with a computer account SID. We don't care
> too
> > much about the computer account but would really like
> the
> > user account back. Is there a way to "swap" these? Is
> there
> > a way to (yikes) edit the SID of the computer account
> so
> > that it will not conflict when we restore the user
> account?
> >
> > Thanks,
> >
> > - Noah
> >
> >
> >
> >
> >
>
>
>



RobSilverUser is Offline

Posts:0

04/24/2010 2:03 AM  
Hi

It looks like your User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97 might still exist (potentially with a higher USN). Both errors have the same timestamp and are conflicting.

Are your DCs virtualized by any chance? Have you restored a snapshot recently on one of the Virtualised DCs? Specifically, the DC you are re-animating the account on?

Regards,
Rob

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: 23 April 2010 10:02 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Hi -

Thanks for the response. I wanted to make sure I was conveying this correctly so I went and tested this again. I did the following:

- Used ADRestore to kick out a list. Found a name we needed to recover in that list. Verified that the account was not active in AD (via ADUC).
- Used ADRestore to re-animate the user account. Said it succeeded, and I verified in ADUC. Account was present for over five minutes.
- Went to enable the account and got the following error: "Windows cannot enable the object User Name because: The requested object has a non-unique identifier and cannot be retrieved."
- The account then disappears from ADUC.
- In the System log on that DC there are two errors with matching timestamps (to the second).

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=User Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All duplicate accounts have been deleted. Check the event log for additional duplicates.


And
Event Type: Error
Event Source: SAM
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Other User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted Objects,DC=company,DC=local. All duplicate accounts have been deleted. Check the event log for additional duplicates.

Not sure what I am seeing. Any insights welcome.

Thanks,

-- nme

--- On Fri, 4/23/10, joe <listmail@joeware.net> wrote:

> From: joe <listmail@joeware.net>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: activedir@mail.activedir.org
> Date: Friday, April 23, 2010, 12:36 PM
> If an item is tombstoned, AdRestore
> will pull it out of tombstone status (so
> will admod). Once out, it shouldn't automatically go back
> to tombstone
> without something deleting it.
>
> As Brian indicated, look at the tombstone object for the
> SID (you can use
> adfind with -showdel) and then search AD for that SID to
> see if there is
> something else with it. I highly doubt there is something
> else with the same
> SID, but even if there were, I wouldn't expect AD to just
> pick one of the
> objects and delete it.
>
>   joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 3:21 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
>
> It appears that actually both are in the deleted items. It
> seems that AD
> does not care if the item is deleted (tombstoned) or
> active. So maybe the
> question is: can we force something out of the deleted
> items before the
> tombstone expires?
>
> -- nme
>
> --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> > From: Brian Desmond <brian@briandesmond.com>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: "activedir@mail.activedir.org"
> <activedir@mail.activedir.org>
> > Date: Friday, April 23, 2010, 11:32 AM
> > You can simply look at the two
> > tombstoned objects and compare the SIDs. What makes
> you
> > think they're dupes?
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c   - 312.731.3132
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: Friday, April 23, 2010 1:31 PM
> > To: activedir@mail.activedir.org
> > Subject: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> >
> > Hello:
> >
> > We have several computer and user objects that were
> > mysteriously deleted by the Anonymous accont. All the
> > deletions happened on the same DC and never on any
> other
> > DCs. The objects show up in the tombstone items list.
> We
> > would like to restore these objects.
> >
> > When we restore them (using ADRestore), they show up
> for
> > about 30 seconds and then disappear again. Our hunch
> is that
> > they are conflicting with the original object. In
> most
> > cases, we think this is a user account was deleted and
> is
> > conflicting with a computer account SID. We don't care
> too
> > much about the computer account but would really like
> the
> > user account back. Is there a way to "swap" these? Is
> there
> > a way to (yikes) edit the SID of the computer account
> so
> > that it will not conflict when we restore the user
> account?
> >
> > Thanks,
> >
> > - Noah
> >
> >
> >
> >
> >
>
>
>


RobSilverUser is Offline

Posts:0

04/24/2010 3:10 PM  
There is an ntdsutil option to clean out duplicate SIDs as follows:

Open Cmd prompt
Type 'ntdsutil'
Type 'security account management', and then press ENTER.
Type 'connect to server DNSNameOfServer'
Type 'check duplicate sid', and then press ENTER. A display of duplicates appears.
Type 'cleanup duplicate sid', and then press ENTER. Ntdsutil confirms the removal of the duplicate.

I haven't done this before, so use with common sense... I have no idea which 'duplicate' it will remove so let us know... Might be an idea to take the DC offline while you do this...

Rob
http://robsilver.org

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of [Infraspec] Rob Silver
Sent: 24 April 2010 11:09 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Which could happen if the DC in question was virtualized and restored from a snapshot which was my reasoning for asking the question on virtualization. Any other ideas on how this could happen. I can only think "Blame it on VMWare" for now...

Rob

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 23 April 2010 11:59 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

The timestamps makes sense to me.

My guess is this happened because somehow you had some sort of RID pool rollback.

Thanks,
Brian Desmond
brian@briandesmond.com

c   - 312.731.3132


-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: Friday, April 23, 2010 5:41 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Hi. One DC is virtualize but no snapshots or anything like that. We demoted the problem DC and existing objects stopped disappearing. The issue now is only with objects that we are trying to recover.

We decided that it is easier to recreate the objects, fix the perms, and associate the mailbox with the new object. There were only four or five pertinent accounts.

That said, I'd like to figure out what happened and make sure there is not something deeper going on. When you say that the object might still exist, do you mean an active object or are you including the deleted objects? Also, that issue with the exact time stamp happens every time we try to enable a recovered object. Always the time bewteen those two events match exactly.

-- nme

--- On Fri, 4/23/10, [Infraspec] Rob Silver <rob@infraspec.net> wrote:

> From: [Infraspec] Rob Silver <rob@infraspec.net>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
> Date: Friday, April 23, 2010, 2:45 PM
> You could try doing an authoritative
> restore of the specific user object based on a backup
> pre-userDeletion.  Same results?
>
> Regards,
> Rob
>
>
> -----Original Message-----
> From: [Infraspec] Rob Silver
> Sent: 23 April 2010 10:25 PM
> To: 'activedir@mail.activedir.org'
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> Hi
>
> It looks like your
> User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97 might still exist
> (potentially with a higher USN).  Both errors have the same timestamp
> and are conflicting.
>
> Are your DCs virtualized by any chance?  Have you restored a snapshot
> recently on one of the Virtualised DCs?  Specifically, the DC you are
> re-animating the account on?
>
> Regards,
> Rob
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: 23 April 2010 10:02 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> Hi -
>
> Thanks for the response. I wanted to make sure I was conveying this
> correctly so I went and tested this again. I did the following:
>
> - Used ADRestore to kick out a list. Found a name we needed to recover
> in that list. Verified that the account was not active in AD (via
> ADUC).
> - Used ADRestore to re-animate the user account. Said it succeeded,
> and I verified in ADUC. Account was present for over five minutes.
> - Went to enable the account and got the following error:
> "Windows cannot enable the object User Name because: The requested
> object has a non-unique identifier and cannot be retrieved."
> - The account then disappears from ADUC.
> - In the System log on that DC there are two errors with matching
> timestamps (to the second).
>
> Event Type:    Error
> Event Source:    SAM
> Event Category:    None
> Event ID:    12293
> Date:        4/23/2010
> Time:        1:47:43 PM
> User:
> S-1-5-21-3756159440-1692330817-2025125472-3114
> Computer:    DC02
> Description:
> There are two or more objects that have the same SID attribute in the
> SAM database. The Distinguished Name of the account is CN=User
> Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All duplicate 
> accounts have been deleted. Check the event log for additional
> duplicates.
>
>
> And
> Event Type:    Error
> Event Source:    SAM
> Event Source:    SAM
> Event Category:    None
> Event ID:    12293
> Date:        4/23/2010
> Time:        1:47:43 PM
> User:
> S-1-5-21-3756159440-1692330817-2025125472-3114
> Computer:    DC02
> Description:
> There are two or more objects that have the same SID attribute in the
> SAM database. The Distinguished Name of the account is CN=Other
> User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted
> Objects,DC=company,DC=local. All duplicate  accounts have been
> deleted. Check the event log for additional duplicates.
>
> Not sure what I am seeing. Any insights welcome.
>
> Thanks,
>
> -- nme
>
> --- On Fri, 4/23/10, joe <listmail@joeware.net>
> wrote:
>
> > From: joe <listmail@joeware.net>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: activedir@mail.activedir.org
> > Date: Friday, April 23, 2010, 12:36 PM If an item is tombstoned,
> > AdRestore will pull it out of tombstone status (so will admod). Once
> > out, it shouldn't automatically go
> back
> > to tombstone
> > without something deleting it.
> >
> > As Brian indicated, look at the tombstone object for
> the
> > SID (you can use
> > adfind with -showdel) and then search AD for that SID
> to
> > see if there is
> > something else with it. I highly doubt there is
> something
> > else with the same
> > SID, but even if there were, I wouldn't expect AD to
> just
> > pick one of the
> > objects and delete it.
> >
> >   joe
> >
> > --
> > O'Reilly Active Directory Fourth Edition -
> > http://www.joeware.net/win/ad4e.htm
> >
> >
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: Friday, April 23, 2010 3:21 PM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> >
> > It appears that actually both are in the deleted
> items. It
> > seems that AD
> > does not care if the item is deleted (tombstoned) or active. So
> > maybe the question is: can we force something out of the
> deleted
> > items before the
> > tombstone expires?
> >
> > -- nme
> >
> > --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> > wrote:
> >
> > > From: Brian Desmond <brian@briandesmond.com>
> > > Subject: RE: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> > > To: "activedir@mail.activedir.org"
> > <activedir@mail.activedir.org>
> > > Date: Friday, April 23, 2010, 11:32 AM You can simply look at the
> > > two tombstoned objects and compare the SIDs. What
> makes
> > you
> > > think they're dupes?
> > >
> > > Thanks,
> > > Brian Desmond
> > > brian@briandesmond.com
> > >
> > > c   - 312.731.3132
> > >
> > > -----Original Message-----
> > > From: activedir-owner@mail.activedir.org
> > > [mailto:activedir-owner@mail.activedir.org]
> > > On Behalf Of EIS Lists
> > > Sent: Friday, April 23, 2010 1:31 PM
> > > To: activedir@mail.activedir.org
> > > Subject: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> > >
> > > Hello:
> > >
> > > We have several computer and user objects that
> were
> > > mysteriously deleted by the Anonymous accont. All
> the
> > > deletions happened on the same DC and never on
> any
> > other
> > > DCs. The objects show up in the tombstone items
> list.
> > We
> > > would like to restore these objects.
> > >
> > > When we restore them (using ADRestore), they show
> up
> > for
> > > about 30 seconds and then disappear again. Our
> hunch
> > is that
> > > they are conflicting with the original object.
> In
> > most
> > > cases, we think this is a user account was
> deleted and
> > is
> > > conflicting with a computer account SID. We don't
> care
> > too
> > > much about the computer account but would really
> like
> > the
> > > user account back. Is there a way to "swap"
> these? Is
> > there
> > > a way to (yikes) edit the SID of the computer
> account
> > so
> > > that it will not conflict when we restore the
> user
> > account?
> > >
> > > Thanks,
> > >
> > > - Noah
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>





listmailUser is Offline

Posts:822

04/24/2010 4:01 PM  
I agree with Brian and the next thing is to work out if there are more to
see how bad of shape you may be in. IIUC, this can only happen with dupe RID
pools which likely means a rollback.

joe

--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm



-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, April 23, 2010 5:18 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

If it were me I'd let both of these accounts disappear and start fresh.
Something bad happened here - you're going to prolong the lifetime of bad if
you try and preserve it.

What you're seeing is definitely expected behavior (I just looked). If when
AD gets asked to translate SID>NAME there is more than one hit, in the case
of dupe SIDs both accounts are killed. In the case of dupe samAccountName
values, for machines the newest account is retained (and the older one(s)
killed) while for others (users, groups, etc) the oldest account is retained
(and the newest one(s) killed).

Thanks,
Brian Desmond
brian@briandesmond.com

c   - 312.731.3132


-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: Friday, April 23, 2010 4:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Hi -

Thanks for the response. I wanted to make sure I was conveying this
correctly so I went and tested this again. I did the following:

- Used ADRestore to kick out a list. Found a name we needed to recover in
that list. Verified that the account was not active in AD (via ADUC).
- Used ADRestore to re-animate the user account. Said it succeeded, and I
verified in ADUC. Account was present for over five minutes.
- Went to enable the account and got the following error: "Windows cannot
enable the object User Name because: The requested object has a non-unique
identifier and cannot be retrieved."
- The account then disappears from ADUC.
- In the System log on that DC there are two errors with matching timestamps
(to the second).

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM
database. The Distinguished Name of the account is CN=User
Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All duplicate accounts
have been deleted. Check the event log for additional duplicates.


And
Event Type: Error
Event Source: SAM
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 4/23/2010
Time: 1:47:43 PM
User: S-1-5-21-3756159440-1692330817-2025125472-3114
Computer: DC02
Description:
There are two or more objects that have the same SID attribute in the SAM
database. The Distinguished Name of the account is CN=Other
User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted
Objects,DC=company,DC=local. All duplicate accounts have been deleted.
Check the event log for additional duplicates.

Not sure what I am seeing. Any insights welcome.

Thanks,

-- nme

--- On Fri, 4/23/10, joe <listmail@joeware.net> wrote:

> From: joe <listmail@joeware.net>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: activedir@mail.activedir.org
> Date: Friday, April 23, 2010, 12:36 PM If an item is tombstoned,
> AdRestore will pull it out of tombstone status (so will admod). Once
> out, it shouldn't automatically go back to tombstone without something
> deleting it.
>
> As Brian indicated, look at the tombstone object for the SID (you can
> use adfind with -showdel) and then search AD for that SID to see if
> there is something else with it. I highly doubt there is something
> else with the same SID, but even if there were, I wouldn't expect AD
> to just pick one of the objects and delete it.
>
>   joe
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 3:21 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> It appears that actually both are in the deleted items. It seems that
> AD does not care if the item is deleted (tombstoned) or active. So
> maybe the question is: can we force something out of the deleted items
> before the tombstone expires?
>
> -- nme
>
> --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> wrote:
>
> > From: Brian Desmond <brian@briandesmond.com>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: "activedir@mail.activedir.org"
> <activedir@mail.activedir.org>
> > Date: Friday, April 23, 2010, 11:32 AM You can simply look at the
> > two tombstoned objects and compare the SIDs. What makes
> you
> > think they're dupes?
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c   - 312.731.3132
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: Friday, April 23, 2010 1:31 PM
> > To: activedir@mail.activedir.org
> > Subject: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> >
> > Hello:
> >
> > We have several computer and user objects that were mysteriously
> > deleted by the Anonymous accont. All the deletions happened on the
> > same DC and never on any
> other
> > DCs. The objects show up in the tombstone items list.
> We
> > would like to restore these objects.
> >
> > When we restore them (using ADRestore), they show up
> for
> > about 30 seconds and then disappear again. Our hunch
> is that
> > they are conflicting with the original object. In
> most
> > cases, we think this is a user account was deleted and
> is
> > conflicting with a computer account SID. We don't care
> too
> > much about the computer account but would really like
> the
> > user account back. Is there a way to "swap" these? Is
> there
> > a way to (yikes) edit the SID of the computer account
> so
> > that it will not conflict when we restore the user
> account?
> >
> > Thanks,
> >
> > - Noah
> >
> >
> >
> >
> >
>
>
>




bdesmondUser is Offline

Posts:977

04/24/2010 7:50 PM  
It would delete all of the duplicates as this fires the same codepath the OP sees earlier in the thread.

Thanks,
Brian Desmond
brian@briandesmond.com

c   - 312.731.3132


-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of [Infraspec] Rob Silver
Sent: Saturday, April 24, 2010 9:09 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

There is an ntdsutil option to clean out duplicate SIDs as follows:

Open Cmd prompt
Type 'ntdsutil'
Type 'security account management', and then press ENTER.
Type 'connect to server DNSNameOfServer'
Type 'check duplicate sid', and then press ENTER. A display of duplicates appears.
Type 'cleanup duplicate sid', and then press ENTER. Ntdsutil confirms the removal of the duplicate.

I haven't done this before, so use with common sense... I have no idea which 'duplicate' it will remove so let us know... Might be an idea to take the DC offline while you do this...

Rob
http://robsilver.org

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of [Infraspec] Rob Silver
Sent: 24 April 2010 11:09 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Which could happen if the DC in question was virtualized and restored from a snapshot which was my reasoning for asking the question on virtualization. Any other ideas on how this could happen. I can only think "Blame it on VMWare" for now...

Rob

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 23 April 2010 11:59 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

The timestamps makes sense to me.

My guess is this happened because somehow you had some sort of RID pool rollback.

Thanks,
Brian Desmond
brian@briandesmond.com

c   - 312.731.3132


-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of EIS Lists
Sent: Friday, April 23, 2010 5:41 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects

Hi. One DC is virtualize but no snapshots or anything like that. We demoted the problem DC and existing objects stopped disappearing. The issue now is only with objects that we are trying to recover.

We decided that it is easier to recreate the objects, fix the perms, and associate the mailbox with the new object. There were only four or five pertinent accounts.

That said, I'd like to figure out what happened and make sure there is not something deeper going on. When you say that the object might still exist, do you mean an active object or are you including the deleted objects? Also, that issue with the exact time stamp happens every time we try to enable a recovered object. Always the time bewteen those two events match exactly.

-- nme

--- On Fri, 4/23/10, [Infraspec] Rob Silver <rob@infraspec.net> wrote:

> From: [Infraspec] Rob Silver <rob@infraspec.net>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
> Date: Friday, April 23, 2010, 2:45 PM
> You could try doing an authoritative
> restore of the specific user object based on a backup
> pre-userDeletion.  Same results?
>
> Regards,
> Rob
>
>
> -----Original Message-----
> From: [Infraspec] Rob Silver
> Sent: 23 April 2010 10:25 PM
> To: 'activedir@mail.activedir.org'
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> Hi
>
> It looks like your
> User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97 might still exist
> (potentially with a higher USN).  Both errors have the same timestamp
> and are conflicting.
>
> Are your DCs virtualized by any chance?  Have you restored a snapshot
> recently on one of the Virtualised DCs?  Specifically, the DC you are
> re-animating the account on?
>
> Regards,
> Rob
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: 23 April 2010 10:02 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
>
> Hi -
>
> Thanks for the response. I wanted to make sure I was conveying this
> correctly so I went and tested this again. I did the following:
>
> - Used ADRestore to kick out a list. Found a name we needed to recover
> in that list. Verified that the account was not active in AD (via
> ADUC).
> - Used ADRestore to re-animate the user account. Said it succeeded,
> and I verified in ADUC. Account was present for over five minutes.
> - Went to enable the account and got the following error:
> "Windows cannot enable the object User Name because: The requested
> object has a non-unique identifier and cannot be retrieved."
> - The account then disappears from ADUC.
> - In the System log on that DC there are two errors with matching
> timestamps (to the second).
>
> Event Type:    Error
> Event Source:    SAM
> Event Category:    None
> Event ID:    12293
> Date:        4/23/2010
> Time:        1:47:43 PM
> User:
> S-1-5-21-3756159440-1692330817-2025125472-3114
> Computer:    DC02
> Description:
> There are two or more objects that have the same SID attribute in the
> SAM database. The Distinguished Name of the account is CN=User
> Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All duplicate
> accounts have been deleted. Check the event log for additional
> duplicates.
>
>
> And
> Event Type:    Error
> Event Source:    SAM
> Event Source:    SAM
> Event Category:    None
> Event ID:    12293
> Date:        4/23/2010
> Time:        1:47:43 PM
> User:
> S-1-5-21-3756159440-1692330817-2025125472-3114
> Computer:    DC02
> Description:
> There are two or more objects that have the same SID attribute in the
> SAM database. The Distinguished Name of the account is CN=Other
> User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted
> Objects,DC=company,DC=local. All duplicate  accounts have been
> deleted. Check the event log for additional duplicates.
>
> Not sure what I am seeing. Any insights welcome.
>
> Thanks,
>
> -- nme
>
> --- On Fri, 4/23/10, joe <listmail@joeware.net>
> wrote:
>
> > From: joe <listmail@joeware.net>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: activedir@mail.activedir.org
> > Date: Friday, April 23, 2010, 12:36 PM If an item is tombstoned,
> > AdRestore will pull it out of tombstone status (so will admod). Once
> > out, it shouldn't automatically go
> back
> > to tombstone
> > without something deleting it.
> >
> > As Brian indicated, look at the tombstone object for
> the
> > SID (you can use
> > adfind with -showdel) and then search AD for that SID
> to
> > see if there is
> > something else with it. I highly doubt there is
> something
> > else with the same
> > SID, but even if there were, I wouldn't expect AD to
> just
> > pick one of the
> > objects and delete it.
> >
> >   joe
> >
> > --
> > O'Reilly Active Directory Fourth Edition -
> > http://www.joeware.net/win/ad4e.htm
> >
> >
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: Friday, April 23, 2010 3:21 PM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> >
> > It appears that actually both are in the deleted
> items. It
> > seems that AD
> > does not care if the item is deleted (tombstoned) or active. So
> > maybe the question is: can we force something out of the
> deleted
> > items before the
> > tombstone expires?
> >
> > -- nme
> >
> > --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> > wrote:
> >
> > > From: Brian Desmond <brian@briandesmond.com>
> > > Subject: RE: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> > > To: "activedir@mail.activedir.org"
> > <activedir@mail.activedir.org>
> > > Date: Friday, April 23, 2010, 11:32 AM You can simply look at the
> > > two tombstoned objects and compare the SIDs. What
> makes
> > you
> > > think they're dupes?
> > >
> > > Thanks,
> > > Brian Desmond
> > > brian@briandesmond.com
> > >
> > > c   - 312.731.3132
> > >
> > > -----Original Message-----
> > > From: activedir-owner@mail.activedir.org
> > > [mailto:activedir-owner@mail.activedir.org]
> > > On Behalf Of EIS Lists
> > > Sent: Friday, April 23, 2010 1:31 PM
> > > To: activedir@mail.activedir.org
> > > Subject: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> > >
> > > Hello:
> > >
> > > We have several computer and user objects that
> were
> > > mysteriously deleted by the Anonymous accont. All
> the
> > > deletions happened on the same DC and never on
> any
> > other
> > > DCs. The objects show up in the tombstone items
> list.
> > We
> > > would like to restore these objects.
> > >
> > > When we restore them (using ADRestore), they show
> up
> > for
> > > about 30 seconds and then disappear again. Our
> hunch
> > is that
> > > they are conflicting with the original object.
> In
> > most
> > > cases, we think this is a user account was
> deleted and
> > is
> > > conflicting with a computer account SID. We don't
> care
> > too
> > > much about the computer account but would really
> like
> > the
> > > user account back. Is there a way to "swap"
> these? Is
> > there
> > > a way to (yikes) edit the SID of the computer
> account
> > so
> > > that it will not conflict when we restore the
> user
> > account?
> > >
> > > Thanks,
> > >
> > > - Noah
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>







eis_listsUser is Offline

Posts:48

04/27/2010 2:39 AM  
Hi all -

Thanks for the suggestions. We wound up demoting the suspect DC and recreating the accounts. With the naughty DC gone, we have not seen any of the weird deletions recur.

I got excited about Rob's suggestion until I read the part about not knowing which one it will clean up! Regardless, when I run those commands (save the cleanup), nothing gets logged to the dupsid.log file.

After poking around a bit more, the only thing I can think is that the RID pool got goofed. We checked them on all of the other DCs and there is no overlap.

Thanks again,

-- nme

--- On Sat, 4/24/10, Brian Desmond <brian@briandesmond.com> wrote:

> From: Brian Desmond <brian@briandesmond.com>
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned Objects
> To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
> Date: Saturday, April 24, 2010, 11:49 AM
> It would delete all of the duplicates
> as this fires the same codepath the OP sees earlier in the
> thread.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c   - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of [Infraspec] Rob Silver
> Sent: Saturday, April 24, 2010 9:09 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
>
> There is an ntdsutil option to clean out duplicate SIDs as
> follows:
>
> Open Cmd prompt
> Type 'ntdsutil'
> Type 'security account management', and then press ENTER.
> Type 'connect to server DNSNameOfServer'
> Type 'check duplicate sid', and then press ENTER. A display
> of duplicates appears.
> Type 'cleanup duplicate sid', and then press ENTER.
> Ntdsutil confirms the removal of the duplicate.
>
> I haven't done this before, so use with common
> sense...  I have no idea which 'duplicate' it will
> remove so let us know...  Might be an idea to take the
> DC offline while you do this...
>
> Rob
> http://robsilver.org
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of [Infraspec] Rob Silver
> Sent: 24 April 2010 11:09 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
>
> Which could happen if the DC in question was virtualized
> and restored from a snapshot which was my reasoning for
> asking the question on virtualization.  Any other ideas
> on how this could happen.  I can only think "Blame it
> on VMWare" for now...
>
> Rob
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of Brian Desmond
> Sent: 23 April 2010 11:59 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
>
> The timestamps makes sense to me.
>
> My guess is this happened because somehow you had some sort
> of RID pool rollback.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c   - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org]
> On Behalf Of EIS Lists
> Sent: Friday, April 23, 2010 5:41 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
>
> Hi. One DC is virtualize but no snapshots or anything like
> that. We demoted the problem DC and existing objects stopped
> disappearing. The issue now is only with objects that we are
> trying to recover.
>
> We decided that it is easier to recreate the objects, fix
> the perms, and associate the mailbox with the new object.
> There were only four or five pertinent accounts.
>
> That said, I'd like to figure out what happened and make
> sure there is not something deeper going on. When you say
> that the object might still exist, do you mean an active
> object or are you including the deleted objects? Also, that
> issue with the exact time stamp happens every time we try to
> enable a recovered object. Always the time bewteen those two
> events match exactly.
>
> -- nme
>
> --- On Fri, 4/23/10, [Infraspec] Rob Silver <rob@infraspec.net>
> wrote:
>
> > From: [Infraspec] Rob Silver <rob@infraspec.net>
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> > To: "activedir@mail.activedir.org"
> <activedir@mail.activedir.org>
> > Date: Friday, April 23, 2010, 2:45 PM
> > You could try doing an authoritative
> > restore of the specific user object based on a backup
>
> > pre-userDeletion.  Same results?
> >
> > Regards,
> > Rob
> >
> >
> > -----Original Message-----
> > From: [Infraspec] Rob Silver
> > Sent: 23 April 2010 10:25 PM
> > To: 'activedir@mail.activedir.org'
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> >
> > Hi
> >
> > It looks like your
> > User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97 might
> still exist
> > (potentially with a higher USN).  Both errors have
> the same timestamp
> > and are conflicting.
> >
> > Are your DCs virtualized by any chance?  Have you
> restored a snapshot
> > recently on one of the Virtualised DCs? 
> Specifically, the DC you are
> > re-animating the account on?
> >
> > Regards,
> > Rob
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org]
> > On Behalf Of EIS Lists
> > Sent: 23 April 2010 10:02 PM
> > To: activedir@mail.activedir.org
> > Subject: RE: [ActiveDir] Duplicate SIDs and Tombstoned
> Objects
> >
> > Hi -
> >
> > Thanks for the response. I wanted to make sure I was
> conveying this
> > correctly so I went and tested this again. I did the
> following:
> >
> > - Used ADRestore to kick out a list. Found a name we
> needed to recover
> > in that list. Verified that the account was not active
> in AD (via
> > ADUC).
> > - Used ADRestore to re-animate the user account. Said
> it succeeded,
> > and I verified in ADUC. Account was present for over
> five minutes.
> > - Went to enable the account and got the following
> error:
> > "Windows cannot enable the object User Name because:
> The requested
> > object has a non-unique identifier and cannot be
> retrieved."
> > - The account then disappears from ADUC.
> > - In the System log on that DC there are two errors
> with matching
> > timestamps (to the second).
> >
> > Event Type:    Error
> > Event Source:    SAM
> > Event Category:    None
> > Event ID:    12293
> > Date:        4/23/2010
> > Time:        1:47:43 PM
> > User:
> > S-1-5-21-3756159440-1692330817-2025125472-3114
> > Computer:    DC02
> > Description:
> > There are two or more objects that have the same SID
> attribute in the
> > SAM database. The Distinguished Name of the account is
> CN=User
> > Name,OU=Staff,OU=UserAccounts,DC=company,DC=local. All
> duplicate
> > accounts have been deleted. Check the event log for
> additional
> > duplicates.
> >
> >
> > And
> > Event Type:    Error
> > Event Source:    SAM
> > Event Source:    SAM
> > Event Category:    None
> > Event ID:    12293
> > Date:        4/23/2010
> > Time:        1:47:43 PM
> > User:
> > S-1-5-21-3756159440-1692330817-2025125472-3114
> > Computer:    DC02
> > Description:
> > There are two or more objects that have the same SID
> attribute in the
> > SAM database. The Distinguished Name of the account is
> CN=Other
> >
> User\0ADEL:17acb86a-7878-4a05-aa67-f262f6cfcb97,CN=Deleted
> > Objects,DC=company,DC=local. All duplicate  accounts
> have been
> > deleted. Check the event log for additional
> duplicates.
> >
> > Not sure what I am seeing. Any insights welcome.
> >
> > Thanks,
> >
> > -- nme
> >
> > --- On Fri, 4/23/10, joe <listmail@joeware.net>
> > wrote:
> >
> > > From: joe <listmail@joeware.net>
> > > Subject: RE: [ActiveDir] Duplicate SIDs and
> Tombstoned
> > Objects
> > > To: activedir@mail.activedir.org
> > > Date: Friday, April 23, 2010, 12:36 PM If an item
> is tombstoned,
> > > AdRestore will pull it out of tombstone status
> (so will admod). Once
> > > out, it shouldn't automatically go
> > back
> > > to tombstone
> > > without something deleting it.
> > >
> > > As Brian indicated, look at the tombstone object
> for
> > the
> > > SID (you can use
> > > adfind with -showdel) and then search AD for that
> SID
> > to
> > > see if there is
> > > something else with it. I highly doubt there is
> > something
> > > else with the same
> > > SID, but even if there were, I wouldn't expect AD
> to
> > just
> > > pick one of the
> > > objects and delete it.
> > >
> > >   joe
> > >
> > > --
> > > O'Reilly Active Directory Fourth Edition -
> > > http://www.joeware.net/win/ad4e.htm
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: activedir-owner@mail.activedir.org
> > > [mailto:activedir-owner@mail.activedir.org]
> > > On Behalf Of EIS Lists
> > > Sent: Friday, April 23, 2010 3:21 PM
> > > To: activedir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Duplicate SIDs and
> > Tombstoned
> > > Objects
> > >
> > > It appears that actually both are in the deleted
> > items. It
> > > seems that AD
> > > does not care if the item is deleted (tombstoned)
> or active. So
> > > maybe the question is: can we force something out
> of the
> > deleted
> > > items before the
> > > tombstone expires?
> > >
> > > -- nme
> > >
> > > --- On Fri, 4/23/10, Brian Desmond <brian@briandesmond.com>
> > > wrote:
> > >
> > > > From: Brian Desmond <brian@briandesmond.com>
> > > > Subject: RE: [ActiveDir] Duplicate SIDs and
> > Tombstoned
> > > Objects
> > > > To: "activedir@mail.activedir.org"
> > > <activedir@mail.activedir.org>
> > > > Date: Friday, April 23, 2010, 11:32 AM You
> can simply look at the
> > > > two tombstoned objects and compare the SIDs.
> What
> > makes
> > > you
> > > > think they're dupes?
> > > >
> > > > Thanks,
> > > > Brian Desmond
> > > > brian@briandesmond.com
> > > >
> > > > c   - 312.731.3132
> > > >
> > > > -----Original Message-----
> > > > From: activedir-owner@mail.activedir.org
> > > > [mailto:activedir-owner@mail.activedir.org]
> > > > On Behalf Of EIS Lists
> > > > Sent: Friday, April 23, 2010 1:31 PM
> > > > To: activedir@mail.activedir.org
> > > > Subject: [ActiveDir] Duplicate SIDs and
> > Tombstoned
> > > Objects
> > > >
> > > > Hello:
> > > >
> > > > We have several computer and user objects
> that
> > were
> > > > mysteriously deleted by the Anonymous
> accont. All
> > the
> > > > deletions happened on the same DC and never
> on
> > any
> > > other
> > > > DCs. The objects show up in the tombstone
> items
> > list.
> > > We
> > > > would like to restore these objects.
> > > >
> > > > When we restore them (using ADRestore), they
> show
> > up
> > > for
> > > > about 30 seconds and then disappear again.
> Our
> > hunch
> > > is that
> > > > they are conflicting with the original
> object.
> > In
> > > most
> > > > cases, we think this is a user account was
> > deleted and
> > > is
> > > > conflicting with a computer account SID. We
> don't
> > care
> > > too
> > > > much about the computer account but would
> really
> > like
> > > the
> > > > user account back. Is there a way to "swap"
> > these? Is
> > > there
> > > > a way to (yikes) edit the SID of the
> computer
> > account
> > > so
> > > > that it will not conflict when we restore
> the
> > user
> > > account?
> > > >
> > > > Thanks,
> > > >
> > > > - Noah
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
>
>
>
>

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Duplicate SIDs and Tombstoned Objects



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:27
MembersMembers:0
TotalTotal:27
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use