JSI Tip 4913. How can I detect and remove any duplicate SID?

Jerold Schulman

March 3, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Every domain controller in your Windows domain receives a pool of RIDs (Relative Identifiers), from the RID FSMO role holder, to make each SID issued unique.

If you seize the RID role, because the original RID role holder is temporarily unavailable, it is possible that the same RID pool could be allocated to different domain controllers.

To detect the condition:

1. Open a CMD prompt and type ntdsutil, pressing Enter.

2. At the Ntdsutil command prompt, type Security Account Management and press Enter.

3. At the Security Account Maintenance prompt, type connect to server and press Enter. Connect to the PDC emulator.

4. At the Security Account Maintenance prompt, type check duplicate sid and press Enter. You receive: Duplicate SID check completed successfully. Check dupsid.log for any duplicates. The dupsid.log should be in the current folder.

To clean up a duplicate SID:

1. At the Ntdsutil command prompt, type Security Account Management and press Enter.

2. At the Security Account Maintenance prompt, type connect to server and press Enter

3. At the Security Account Maintenance prompt, type cleanup duplicate sid and press Enter. You will receive confirmation of the removal.

4. At the Security Account Maintenance prompt, type q and press Enter.

5. At the Ntdsutil command prompt, type q and press Enter.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like