Q: Can two Active Directory (AD) accounts have identical SIDs? If so, how can I remove the duplicate account?
March 11, 2009
A: Microsoft provides safeguards to ensure that identical SIDs aren't introduced in a Windows domain. By definition, a SID is unique in the context of a Windows domain, but the AD security system can accidentally give two accounts the same SID when the Relative Identifier (RID) master Flexible Single-Master Operations (FSMO) role is transferred from one domain controller (DC) to another.
The DC that hosts the RID master FSMO role keeps track of all RID pools assigned to the different DCs in a domain. The RID master ensures that each DC is given a unique, non-overlapping pool of RIDs. The RID master prevents duplicate SIDs in the domain, because the RID is a portion of a security principal's SID. Each AD account’s SID consists of the domain's SID and a RID, and the RID is unique for each security principal in a domain.
Duplicate SIDs can exist when an administrator transfers (or "seizes," in AD terminology) the RID master role to another DC while the original RID master is offline, such as if it's temporarily disconnected from the network. When the original RID master is brought back online and hasn't received updated AD replication information, including the RID master change, it could issue a RID pool to a DC that's identical to the RID pool that the other RID master already issued to another DC. These two DCs could generate identical RIDs, and thus identical SIDs, for newly created accounts.
Click to expand |
To avoid the duplications, after you transfer the RID master role between DCs you should always check AD for duplicate SIDs and clean up the duplicate SIDs. You can check for and clean up duplicate SIDs from the command line using the ntdsutil utility, as shown here.
To check for duplicate accounts, do the following:
Open a command prompt, type ntdsutil, and press Enter.
Type security account management and press Enter.
Type connect to server servername—where servername is the NETBIOS name or Fully Qualified Domain Name (FQDN) of the DC you're connecting to—and press Enter.
Type check duplicate SID and press Enter.
Type q and press Enter to exit the security account management menu.
Type q and press Enter to leave the ntdsutil top menu.
These actions will create a log file called dupsid.log in the file system directory where you started ntdsutil. If any duplicate SIDs exist in your AD, they'll be listed in the dupsid.log file.
To clean up duplicate SIDs, do the following:
Open a command prompt, type ntdsutil, and press Enter.
Type security account management and press Enter.
Type connect to server servername—where servername is the NETBIOS name or FQDN of the DC you're connecting to—and press Enter.
Type cleanup duplicate SID and press Enter. Ntdsutil will then confirm the successful removal of duplicate SIDs.
Type q and press Enter to exit the security account management menu.
Type q and press Enter to leave the ntdsutil top menu.
These actions will delete one of the two account objects that have a duplicate SID—the account with the newest AD GUID. You must then manually recreate the deleted accounts, which will automatically receive new, unique SIDs.
About the Author
You May Also Like