none
The requested object has a non-unique identifier and cannot be retrieved error deleting AD Group RRS feed

  • Question

  • Hello all, I'm having an issue with the above error when trying to delete a group in ADU&C. The group was originally created by the Lync 2010 installer, I uninstalled Lync and a few months later tried to reinstall it. It now kicks out an error when it tries to re-create this group. If I try and delete it manually I get the above error.

    I can rename it, but not the saMAccountNames so I can't just rename it and tuck it away. I've tried the duplicate check with NSDSUTIL and it doesn't find any, and I've checked that the otherwellknownobject is set to <not set>.

    If I select properties in ADSIEDIT I get an error code 0x2121 The search failed to retrieve attributes from the database, when I click OK the properties appear.

    Unfortunately I only discovered this way after the backup past it's limits, so I can't just restore it. I have Exchange 2010 installed on another member server. Everything else seems to be working fine.

    How do I get rid of it? This is my home test environment, so worst case I can demote all but one DC and then if there is a way of editing the NTDS.dit offline I can lose it that way then promote the others if there's a way of doing that?

    Thanks.

    Saturday, April 14, 2012 2:50 PM

Answers

  • Hi,


    Please try to reduce the Tombstone Life Time to 2 to test:


    Tomb Stone Life Time is 180 days and we might have to reduce it to 2 days so that the Garbage Collection process deletes those objects from the Deleted Objects container within 2 days. However changing the Tomb Stone Life Time period shouldn’t be a problem following things should be considered :

    1. AD Replication should be working fine. Issues speeding up the deletion could create lingering objects.  This would only occur if something was deleted and then garbage collection removed it before a DC was made aware of the original deletion.  If we’re not seeing any replication events and all DCs are online it shouldn’t be a problem.
    2. Once the objects are deleted we would have to change the TSL back to the original value.
    3. This will speed up the permanent deletion of objects so recovery of deleted objects will not be an option after the garbage collection occurs.

    Please follow the following steps to reduce the TombStone Lifetime period :  To modify the tombstone lifetime by using Ldp.exe

    1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
    2. To connect and bind to the server that hosts the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.
    3. In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.
    4. In the Modify dialog box, in Edit Entry Attribute, type tombstoneLifetime.
    5. In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 2 days.)
    6. In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.
    Please feel free to contact me if you need any help in following the action plan.


    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    • Marked as answer by xrs444 Sunday, April 29, 2012 7:49 PM
    Monday, April 23, 2012 2:09 AM
    Moderator

All replies

  • Have you checked this :

    http://www.windows-error-repair.org/error-code/8481.html

    http://support.microsoft.com/kb/2526455


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Saturday, April 14, 2012 3:00 PM
  • I'm not sure the first link is relevant, it seems a rather generic page suggesting it's either malware or registry which I'd find suprising as this is domain-wide over several DCs. It's less suprising when you increment the error code by one and get the exact same page!

    The second I don't think applies, as this AD has not been recovered, is not read only and only this particular group is affected. I've requested the hotfix anyway, might be worth a shot if nothing else.

    Good shouts though, keep them coming!


    xrs444

    Saturday, April 14, 2012 3:10 PM
  • Since it is the test environment can you rerun adprep/domainprep,it seems there is some permission issue and check how does it work.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.



    Saturday, April 14, 2012 3:25 PM
  • Assuming the error is accurate, the only AD attributes that uniquely identify objects are: distinguishedName, sAMAccountName, objectSID, and objectGUID. Not all objects have sAMAccountName, but for those that do, the value must be unique in the domain. The other 3 must be unique in the forest (or globally). I believe I have heard of situations where duplicate sAMAccountNames happened, but it would be rare. I think you could also imagine duplicate objectSID values (messed up RID master, perhaps improperly restored DC). Perhaps it would help to determine which attribute is not unique. If the common name of the group is "groupname", try this command at the command prompt of a domain controller:

    dsquery * -Filter "(cn=groupname)" -attr distinguishedName sAMAccountName objectSID objectGUID

    If this raises an error, then try different combinations of 3 of the attributes and maybe that will indicate which is the problem. I would expect the command to return all 4, even if there are duplicates. Then you can check for uniqueness of each with commands similar to the following:

    dsquery * -Filter "(sAMAccountName=groupname)"

    This query works with objectSID values (including the prefix "S-" and all dashes), but I cannot get it to work with objectGUID values. Still, I would expect the problem to be with either sAMAccountName or objectSID. If any query returns more than one result, then you have a duplicate where none should exist. I'll try to find the article I remember about duplicate sAMAccountNames (I think it was by Joe Richards), in case it had a fix.


    Richard Mueller - MVP Directory Services

    Saturday, April 14, 2012 4:11 PM
  • Adprep won't run, it throws an error saying it's already updated. I'm not sure if there's a way to force it, but I'm a few Schema updates forward from the S2K8R2 one (Lync Domainprep, Exchange2K7 Exchange2010 etc)


    xrs444

    Saturday, April 14, 2012 4:18 PM
  • Well, the search was easy. Now to read it (I haven't yet):

    http://blog.joeware.net/index.php?s=duplicate+sAMAccountName

    As for duplicate RID's, I believe the cause would be using a snapshot to restore a domain controller, or similar.


    Richard Mueller - MVP Directory Services

    Saturday, April 14, 2012 4:26 PM
  • C:\>dsquery * -filter "(sAMAccountName=RTCUniversalSBATechnicians)"
    "CN=REALLYRATHERBROKEN!,CN=Users,DC=xrs444,DC=lan"

    C:\>dsquery * -filter "(objectSID=S-1-5-21-418381426-868645460-4191795362-6107)"

    "CN=REALLYRATHERBROKEN!,CN=Users,DC=xrs444,DC=lan"

    C:\>dsquery * -filter "(objectGUID=Y\8E\E4\C1\12\EB\CEL\8C\97\1Ft\C9\C7\E0\9C)"
    "CN=REALLYRATHERBROKEN!,CN=Users,DC=xrs444,DC=lan"

    There's nothing else with the name REALLYRATHERBROKEN! as I changed that when I noticed the problem and started testing, the GUID has to be in slashed hex to search with, took me a little while to figure that out.

    So, either the duplicate error is a red herring, I've fluffed a search or something seriously odd is going on.

    Suggestions?

    Thomas


    xrs444

    Saturday, April 14, 2012 5:37 PM
  • Yes, you can always query for GUIDs by escaping the bytes, but you need to remember to reverse the first 8 bytes in groups (from the form enclosed in curly braces). You figured it out. The result is that you do not have a duplicate. Unless, the duplicate is in the "cn=Deleted Objects" container ?? This is just a wild guess, but if you have Windows Server 2008 R2, you can run the following PowerShell statement to check:

    Get-ADObject -LDAPFilter "(&(sAMAccountName=RTCUniversalSBATechnicians)(isDeleted=TRUE))" -IncludeDeletedObjects

    -----



    Richard Mueller - MVP Directory Services

    Saturday, April 14, 2012 6:48 PM
  • Good call with the deleted objects, sadly no dice. :/


    xrs444

    Saturday, April 14, 2012 7:22 PM
  • Hello,

    please see here about Lync removal from AD, maybe this helps you:

    http://blog.ucmadeeasy.com/2010/11/09/lync-server-2010-active-directory-references-and-how-to-remove-them/


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, April 15, 2012 9:54 AM
  • I had a look through it, it's pretty much what I've done, the problem is I can't delete one of the groups!

    I'll have another look through tonight and see if there's anything left floating around.

    Thanks!

    xrs444


    xrs444

    Tuesday, April 17, 2012 8:47 AM
  • Hi,


    The group was originally created by the Lync 2010 installer, I uninstalled Lync and a few months later tried to reinstall it. It now kicks out an error when it tries to re-create this group.


    >> I'd like to confirm what group did you mention?


    Please try to use LDP to delete the objects:


    Ldp
    http://technet.microsoft.com/en-us/library/cc771022(v=WS.10).aspx

     

    Hope this helps!

    Best Regards
    Elytis Cheng

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Elytis Cheng

    TechNet Community Support

    Wednesday, April 18, 2012 11:12 AM
    Moderator
  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Saturday, April 21, 2012 7:11 AM
    Moderator
  • Sorry, I was called away for a few days and couldn't get back to this, the problem persists.

    LDP throws the same "Error 0x219D The requested object has a non-unique identifier and cannot be retrieved." I don't believe any tool talking to AD using the standard method will be able to work here, the DC will not carry out the operation. Something that can edit the NTDS.DIT file would be useful?

    I've also gone through and checked and I can't find any references left from the removing Lync from AD Meinolf Weber posted.

    Further suggestions would be very helpful!

    Thanks all

    xrs444


    xrs444

    Saturday, April 21, 2012 9:45 AM
  • Hi,


    Please try to reduce the Tombstone Life Time to 2 to test:


    Tomb Stone Life Time is 180 days and we might have to reduce it to 2 days so that the Garbage Collection process deletes those objects from the Deleted Objects container within 2 days. However changing the Tomb Stone Life Time period shouldn’t be a problem following things should be considered :

    1. AD Replication should be working fine. Issues speeding up the deletion could create lingering objects.  This would only occur if something was deleted and then garbage collection removed it before a DC was made aware of the original deletion.  If we’re not seeing any replication events and all DCs are online it shouldn’t be a problem.
    2. Once the objects are deleted we would have to change the TSL back to the original value.
    3. This will speed up the permanent deletion of objects so recovery of deleted objects will not be an option after the garbage collection occurs.

    Please follow the following steps to reduce the TombStone Lifetime period :  To modify the tombstone lifetime by using Ldp.exe

    1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
    2. To connect and bind to the server that hosts the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.
    3. In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.
    4. In the Modify dialog box, in Edit Entry Attribute, type tombstoneLifetime.
    5. In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 2 days.)
    6. In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.
    Please feel free to contact me if you need any help in following the action plan.


    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    • Marked as answer by xrs444 Sunday, April 29, 2012 7:49 PM
    Monday, April 23, 2012 2:09 AM
    Moderator
  • Done, I guess we see in two days! :)

    xrs444


    xrs444

    Thursday, April 26, 2012 7:56 PM
  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Saturday, April 28, 2012 7:40 AM
    Moderator
  • So it's been two days since we set the new tombstone life, and I just deleted the group through ADU&C as per normal, and the Lync install was able to recreate the group successfully.

    Nice trick with the tombstone lifetime, I'll remember that one!

    Thanks to everyone for your help, much appreciated.

    xrs444


    xrs444

    Sunday, April 29, 2012 7:49 PM
  • Hi,

    Glad to hear that the issue had been resolved!

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Wednesday, May 2, 2012 3:27 PM
    Moderator
  • Hi All,

    I have some problem with some user account in domain controller Event ID : 12293  

    There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=user\0ADEL:098781b1-b125-4770-88c1-18c6c322226f,CN=Deleted Objects,DC=xxx,DC=com. All duplicate accounts have been deleted. Check the event log for additional duplicates. Please help me

    Thansk

    Bikash

    Thursday, May 3, 2012 7:34 AM
  • Bikash,

     Please create new thread as this has been marked as an answer.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Sandesh Dubey Thursday, May 3, 2012 8:05 AM
    Thursday, May 3, 2012 7:39 AM
  • Hi,

    please submit a new thread to separate the issues. This can be beneficial to other community members reading the thread. It will be more efficiently to troubleshoot the problem.

    Thanks for your understanding!

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Thursday, May 3, 2012 8:05 AM
    Moderator