Discussion:
Dcpromo failed with "Directory object not found"
(too old to reply)
DavidT
2005-07-29 02:12:02 UTC
Permalink
Done in-place upgrade on PDC without any problem. Setup another Windows 2000
member server, dcpromo it as nother domain controller but failed with
"Directory object not found". This is due to missing built-in administrator
account - event log show that it was deleted due to duplicate. Is there a way
to fix this missing account?

If not, can I roll-back to pre-AD NT PDC? To do this, will need to properly
demote AD (last domain controller) as already have 4 other domains in the
forest. How can I do this without losing accounts and folders access rights
across NT domains?

Another option is to setup another domain and use ADMT to migrate users but
not sure of the implication. This domain host our internal FTP, will FTP
access rights of other domain users be loss in the migration? How to migrate
Exchange 5.5 server?

Thanks for your advice.

DavidT
Chris Rutledge
2005-07-29 06:54:02 UTC
Permalink
Hey David, quite an odd issue you have there. Can you be absolutely sure
that the Domain Administrator account with SID "S-1-5-< Unique domain
SID>-500" is missing? Or, possibly, did you mean some other administrator
account on the local machine? Might want to copy/paste the exact error
message you are seeing and any other relevant information you can think of.

Since this is the second DC you are bringing into the environment, I would
definately be sure of good DNS name resolution as a possibility. I assume
you installed DNS on the first DC, have your domain name forward lookup zone
AD-Integrated, and all the SRV records are there under the _msdcs portion of
the zone? And that the machine you are running DCPromo on has its DNS client
pointing to the first AD DC, and that one only. Sorry I couldn't give you a
better answer, but I just don't have enough information yet.

Thanks!

Chris Rutledge
Post by DavidT
Done in-place upgrade on PDC without any problem. Setup another Windows 2000
member server, dcpromo it as nother domain controller but failed with
"Directory object not found". This is due to missing built-in administrator
account - event log show that it was deleted due to duplicate. Is there a way
to fix this missing account?
If not, can I roll-back to pre-AD NT PDC? To do this, will need to properly
demote AD (last domain controller) as already have 4 other domains in the
forest. How can I do this without losing accounts and folders access rights
across NT domains?
Another option is to setup another domain and use ADMT to migrate users but
not sure of the implication. This domain host our internal FTP, will FTP
access rights of other domain users be loss in the migration? How to migrate
Exchange 5.5 server?
Thanks for your advice.
DavidT
DavidT
2005-07-29 08:05:03 UTC
Permalink
Hi Chris,
Thanks for your help. I have upgraded 3 other NT PDC to Windows 2000 AD
without any problem - each a child domain. Check Replication Monitor and
Directory Service event logs, no problem found. This member server I am
promoting - DNS is pointing to the first domain controller which host the
authoritative DNS for this child domain. DNS is AD integrated. SRV records
are ok.

The exact error message I get when dcpromo failed:
----------------
The operation failed because:
The Directory Service is missing critical information and cannot proceed. If
this is a replica, please rejoing the machine to the domain.

"Directory object not found"
---------------

Attached is the 3 event logs for duplicate administrator id being deleted.

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
Description:
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="Administrator~0
DEL:7692f749-d006-4c6f-bd6e-30d6a9b588e5",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
Description:
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="$AccountNameConflict0
DEL:b1d0afad-a990-4692-b9cf-0d94fd1c6f09",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
Description:
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="Azadmin
DEL:bebc0bc1-a7f5-45fc-b5b9-f3d5952dfe88",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates

Hope this is detail enough.
Post by Chris Rutledge
Hey David, quite an odd issue you have there. Can you be absolutely sure
that the Domain Administrator account with SID "S-1-5-< Unique domain
SID>-500" is missing? Or, possibly, did you mean some other administrator
account on the local machine? Might want to copy/paste the exact error
message you are seeing and any other relevant information you can think of.
Since this is the second DC you are bringing into the environment, I would
definately be sure of good DNS name resolution as a possibility. I assume
you installed DNS on the first DC, have your domain name forward lookup zone
AD-Integrated, and all the SRV records are there under the _msdcs portion of
the zone? And that the machine you are running DCPromo on has its DNS client
pointing to the first AD DC, and that one only. Sorry I couldn't give you a
better answer, but I just don't have enough information yet.
Thanks!
Chris Rutledge
Post by DavidT
Done in-place upgrade on PDC without any problem. Setup another Windows 2000
member server, dcpromo it as nother domain controller but failed with
"Directory object not found". This is due to missing built-in administrator
account - event log show that it was deleted due to duplicate. Is there a way
to fix this missing account?
If not, can I roll-back to pre-AD NT PDC? To do this, will need to properly
demote AD (last domain controller) as already have 4 other domains in the
forest. How can I do this without losing accounts and folders access rights
across NT domains?
Another option is to setup another domain and use ADMT to migrate users but
not sure of the implication. This domain host our internal FTP, will FTP
access rights of other domain users be loss in the migration? How to migrate
Exchange 5.5 server?
Thanks for your advice.
DavidT
Paul Williams [MVP]
2005-07-29 09:00:49 UTC
Permalink
Have you set the NT4Emulator registry key on the PDC?

Have a look at this for more info. on this key and it's use:
-- http://www.msresource.net/content/view/48/46/
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Chris Rutledge
2005-07-29 09:21:03 UTC
Permalink
Ah, I was afraid of something like that. The deleted duplicate is still in
CN=Deleted Objects, as it should be. (Cleaned up after tombstone lifetime
and garbage collection runs)

Viewing deleted objects in Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;258310

If you want to see the thing.

Unfortunately, removing the object sooner than the 60 day default is next to
impossible. I will have to research and see if there is a way around this
when I get into work on Sunday..

Chris Rutledge
Post by DavidT
Hi Chris,
Thanks for your help. I have upgraded 3 other NT PDC to Windows 2000 AD
without any problem - each a child domain. Check Replication Monitor and
Directory Service event logs, no problem found. This member server I am
promoting - DNS is pointing to the first domain controller which host the
authoritative DNS for this child domain. DNS is AD integrated. SRV records
are ok.
----------------
The Directory Service is missing critical information and cannot proceed. If
this is a replica, please rejoing the machine to the domain.
"Directory object not found"
---------------
Attached is the 3 event logs for duplicate administrator id being deleted.
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="Administrator~0
DEL:7692f749-d006-4c6f-bd6e-30d6a9b588e5",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="$AccountNameConflict0
DEL:b1d0afad-a990-4692-b9cf-0d94fd1c6f09",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="Azadmin
DEL:bebc0bc1-a7f5-45fc-b5b9-f3d5952dfe88",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates
Hope this is detail enough.
Post by Chris Rutledge
Hey David, quite an odd issue you have there. Can you be absolutely sure
that the Domain Administrator account with SID "S-1-5-< Unique domain
SID>-500" is missing? Or, possibly, did you mean some other administrator
account on the local machine? Might want to copy/paste the exact error
message you are seeing and any other relevant information you can think of.
Since this is the second DC you are bringing into the environment, I would
definately be sure of good DNS name resolution as a possibility. I assume
you installed DNS on the first DC, have your domain name forward lookup zone
AD-Integrated, and all the SRV records are there under the _msdcs portion of
the zone? And that the machine you are running DCPromo on has its DNS client
pointing to the first AD DC, and that one only. Sorry I couldn't give you a
better answer, but I just don't have enough information yet.
Thanks!
Chris Rutledge
Post by DavidT
Done in-place upgrade on PDC without any problem. Setup another Windows 2000
member server, dcpromo it as nother domain controller but failed with
"Directory object not found". This is due to missing built-in administrator
account - event log show that it was deleted due to duplicate. Is there a way
to fix this missing account?
If not, can I roll-back to pre-AD NT PDC? To do this, will need to properly
demote AD (last domain controller) as already have 4 other domains in the
forest. How can I do this without losing accounts and folders access rights
across NT domains?
Another option is to setup another domain and use ADMT to migrate users but
not sure of the implication. This domain host our internal FTP, will FTP
access rights of other domain users be loss in the migration? How to migrate
Exchange 5.5 server?
Thanks for your advice.
DavidT
Paul Williams [MVP]
2005-07-29 10:04:29 UTC
Permalink
Nice find Chris! I only read the first couple of lines and completely
missed that! [blush]

Anyway, to the original poster David, have a look at the following KB for
information on how to clean up duplicate SIDs:
-- http://support.microsoft.com/?id=315062 (Win 2000)
-- http://support.microsoft.com/?id=816099 (Win 2003)
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
DavidT
2005-07-29 10:45:01 UTC
Permalink
Does this mean that once garbage collection has cleaned out the deleted
objects, I would not have problem installing 2nd DC? If yes, this is great
news. Thanks a lot.
Post by Chris Rutledge
Ah, I was afraid of something like that. The deleted duplicate is still in
CN=Deleted Objects, as it should be. (Cleaned up after tombstone lifetime
and garbage collection runs)
Viewing deleted objects in Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;258310
If you want to see the thing.
Unfortunately, removing the object sooner than the 60 day default is next to
impossible. I will have to research and see if there is a way around this
when I get into work on Sunday..
Chris Rutledge
Post by DavidT
Hi Chris,
Thanks for your help. I have upgraded 3 other NT PDC to Windows 2000 AD
without any problem - each a child domain. Check Replication Monitor and
Directory Service event logs, no problem found. This member server I am
promoting - DNS is pointing to the first domain controller which host the
authoritative DNS for this child domain. DNS is AD integrated. SRV records
are ok.
----------------
The Directory Service is missing critical information and cannot proceed. If
this is a replica, please rejoing the machine to the domain.
"Directory object not found"
---------------
Attached is the 3 event logs for duplicate administrator id being deleted.
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="Administrator~0
DEL:7692f749-d006-4c6f-bd6e-30d6a9b588e5",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="$AccountNameConflict0
DEL:b1d0afad-a990-4692-b9cf-0d94fd1c6f09",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12293
Date: 26-Jul-05
Time: 4:08:15 PM
User: S-1-5-21-1581056957-1160395716-709122288-500
Computer: HKBDC
There are two or more objects that have the same SID attribute in the SAM
datatbase. The Distinguished Name of the account is CN="Azadmin
DEL:bebc0bc1-a7f5-45fc-b5b9-f3d5952dfe88",CN=Deleted
Objects,DC=hk,DC=aztech,DC=com. All duplicate accounts have been deleted.
Check the event log for additional Duplicates
Hope this is detail enough.
Post by Chris Rutledge
Hey David, quite an odd issue you have there. Can you be absolutely sure
that the Domain Administrator account with SID "S-1-5-< Unique domain
SID>-500" is missing? Or, possibly, did you mean some other administrator
account on the local machine? Might want to copy/paste the exact error
message you are seeing and any other relevant information you can think of.
Since this is the second DC you are bringing into the environment, I would
definately be sure of good DNS name resolution as a possibility. I assume
you installed DNS on the first DC, have your domain name forward lookup zone
AD-Integrated, and all the SRV records are there under the _msdcs portion of
the zone? And that the machine you are running DCPromo on has its DNS client
pointing to the first AD DC, and that one only. Sorry I couldn't give you a
better answer, but I just don't have enough information yet.
Thanks!
Chris Rutledge
Post by DavidT
Done in-place upgrade on PDC without any problem. Setup another Windows 2000
member server, dcpromo it as nother domain controller but failed with
"Directory object not found". This is due to missing built-in administrator
account - event log show that it was deleted due to duplicate. Is there a way
to fix this missing account?
If not, can I roll-back to pre-AD NT PDC? To do this, will need to properly
demote AD (last domain controller) as already have 4 other domains in the
forest. How can I do this without losing accounts and folders access rights
across NT domains?
Another option is to setup another domain and use ADMT to migrate users but
not sure of the implication. This domain host our internal FTP, will FTP
access rights of other domain users be loss in the migration? How to migrate
Exchange 5.5 server?
Thanks for your advice.
DavidT
Paul Williams [MVP]
2005-07-29 12:35:16 UTC
Permalink
Not necessarily. The conflict is in the SAM; not the database per se.

See the links I posted in my other post for info. on how to clean this up.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
DavidT
2005-07-30 04:51:01 UTC
Permalink
Thanks. Hope to try this without screwing up AD. Or may just wait for 60 days
for garbage collection to do the job.
Post by Paul Williams [MVP]
Not necessarily. The conflict is in the SAM; not the database per se.
See the links I posted in my other post for info. on how to clean this up.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
DavidT
2005-08-01 01:17:01 UTC
Permalink
I ran ntdsutil and it reported no duplicates, should be expected since
built-in administrator duplicates have been deleted. How do I expedite
garbage collection to remove the deleted duplicates? Why duplicate for
built-in administrator sid happen in the first place?
Post by Paul Williams [MVP]
Not necessarily. The conflict is in the SAM; not the database per se.
See the links I posted in my other post for info. on how to clean this up.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2005-08-11 09:38:00 UTC
Permalink
I've had a quick look around and don't think you can get things out of the
deleted items container any quicker.

As for why this happened, I have no idea. You don't give enough background
in your post to even hazard a guess I'm afraid (and that guess, if it were
able to be made, would be just a guess ;-)
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
DavidT
2005-08-11 09:56:20 UTC
Permalink
Hi Paul,
Really thanks for your help. I myself don't know how it happen when you are
not suppose to be able to delete admin account in the first place. I have
decided to abandon my in-place upgrade and go for migration to new DC
instead, consolidation multiple NT domains into single Windows domain.

DavidT
Post by Paul Williams [MVP]
I've had a quick look around and don't think you can get things out of the
deleted items container any quicker.
As for why this happened, I have no idea. You don't give enough background
in your post to even hazard a guess I'm afraid (and that guess, if it were
able to be made, would be just a guess ;-)
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2005-08-26 07:06:59 UTC
Permalink
Sorry I couldn't be of more help.

All the best to you!
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...