HOW TO: Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows Server 2003 (816099)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
For a Microsoft Windows 2000 version of this article, see 315062.

IN THIS TASK

SUMMARY

This article describes how to check for and clean up or remove duplicate security identifiers (SIDs) in the SAM database. A unique SID identifies each security account such as users, groups, and computers. You use an SID to uniquely identify a security account and to perform access checks against resources such as files, file folders, printers, Microsoft Exchange mailboxes, Microsoft SQL Server databases, objects that are stored in Active Directory, or any data that is protected by the Windows Server 2003 security model.

An SID contains header information and a set of relative identifiers that identify the domain and the security account. In a domain, each domain controller can create accounts and issue to each account a unique SID. Each domain controller maintains a pool of relative IDs that is used to create SIDs. When 80 percent of the relative ID pool is consumed, the domain controller requests a new pool of relative identifiers from the relative ID operations master. This ensures that the same pool of relative IDs is never allocated to different domain controllers, and prevents the allocation of duplicate SIDs. However, because it is possible (but rare) for a duplicate relative ID pool to be allocated, you have to identify those accounts that have been issued duplicate SIDs to prevent incorrect security from being applied.

Duplicate relative ID pools may occur if the administrator seizes the relative ID master role while the original relative ID master is operational but temporarily disconnected from the network. In typical practice, after one replication cycle, the relative ID master role is assumed by just one domain controller. However, before the role ownership is resolved, two different domain controllers might each request a new relative ID pool and be allocated the same relative ID pool.

back to the top

Start Ntdsutil

To start Ntdsutil:
  1. Click Start, and then click Run.
  2. In the Open box, type ntdsutil, and then press ENTER. To access Help at any time, type ? at the command prompt, and then press ENTER.
back to the top

Look for a Duplicate SID

  1. At the Ntdsutil command prompt, type security account management, and then press ENTER.
  2. At the Security Account Maintenance command prompt, type connect to server DNSNameOfServer, and then press ENTER. Connect to the server that stores your SAM database.
  3. At the Security Account Maintenance command prompt, type check duplicate sid, and then press ENTER. A display of duplicates appears.
back to the top

Clean Up a Duplicate SID

  1. At the Ntdsutil command prompt, type security account management, and then press ENTER.
  2. At the Security Account Maintenance command prompt, type connect to server DNSNameOfServer, and then press ENTER. Connect to the server that stores your SAM database.
  3. At the Security Account Maintenance command prompt, type cleanup duplicate sid, and then press ENTER. Ntdsutil confirms the removal of the duplicate.
  4. At the Security Account Maintenance command prompt, type q, and then press ENTER.
  5. When you are finished with Ntdsutil, type q, and then press ENTER.
back to the top

REFERENCES

For additional information about related topics, click the following article number to view the article in the Microsoft Knowledge Base:

243267 How to Automate Ntdsutil.exe Using a Script

Modification Type:MajorLast Reviewed:3/1/2004
Keywords:kbActiveDirectory kbHOWTOmaster KB816099
©2004 Microsoft Corporation. All rights reserved.