JSI Tip 4913. How can I detect and remove any duplicate SID?

Every domain controller in your Windows domain receives a pool of RIDs (Relative Identifiers), from the RID FSMO role holder, to make each SID issued unique.

If you seize the RID role, because the original RID role holder is temporarily unavailable, it is possible that the same RID pool could be allocated to different domain controllers.

To detect the condition:

1. Open a CMD prompt and type ntdsutil, pressing Enter.

2. At the Ntdsutil command prompt, type Security Account Management and press Enter.

3. At the Security Account Maintenance prompt, type connect to server <DNS Name Of Server> and press Enter. Connect to the PDC emulator.

4. At the Security Account Maintenance prompt, type check duplicate sid and press Enter. You receive: Duplicate SID check completed successfully. Check dupsid.log for any duplicates. The dupsid.log should be in the current folder.

To clean up a duplicate SID:

1. At the Ntdsutil command prompt, type Security Account Management and press Enter.

2. At the Security Account Maintenance prompt, type connect to server <DNS Name Of Server> and press Enter

3. At the Security Account Maintenance prompt, type cleanup duplicate sid and press Enter. You will receive confirmation of the removal.

4. At the Security Account Maintenance prompt, type q and press Enter.

5. At the Ntdsutil command prompt, type q and press Enter.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish