none
Domain Controller shows SID with its Name

    Question

  • I recently migrated all the domain controllers in a multi site environment to Server 2016. In one of the sites one domain controller shows its name with some kind of a code (I believe its SID). Now it doesn't allow me to transfer fsmo roles to new server using the new server name (STWN-AD03), See attached. In sits and services and /replsummary also shows the server name with same name. 

    I hope you can help me find what caused it. Like I mentioned this domain has 3 sites and changes replicated throughout all sites.

    I was thinking replication delays might have caused it while I'm upgrading, because after upgrading Site A, I didn't check all changes are replicated to other 2 sites before moving on to Site B. Any thoughts? 

    How can I fix this? I there any way without going for a fresh server? (because we already migrated a payroll application to the new server)

     

    Janindu Nanayakkara

    Friday, May 17, 2019 12:39 AM

Answers

  • Hi,
    It is recommended that we add a new 2016 DC with another name instead of this DC called STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6.

    And then check that this new DC is working properly, and AD replication is normal.

    Then transfer fsmo roles to this new 2016 server.

    At last, demote the DC called TWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 20, 2019 10:25 AM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    To better understand our question, please confirm the following information:

    1. How many domains do we have?

    2. How many DCs are there at each sites?

    3. Is the replication between these DCs normal? We can run the command to check: repadmin /showrepl and repadmin /summary

    4. Is the replication between DCs at all sites normal? 
    We can run the command to check: repadmin /showrepl and repadmin /summary

    5. Now who is the FSMO roles holder? We can run the command to check: netdom query FSMO

    6. Do we mean we see
    STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6 only on this DC or on all the DCs?
    Or all places where STWN-AD03 should be displayed show STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6?

    7. What is the display name under 
    Control Panel\System and Security\System?


    If we check the AD replication between all DCs is OK. What is the display name of STWN-AD03 we can see?
    STWN-AD03 or STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6

    1. Active Directory Users and Computers on its own DC and on all other DCs.
    2. DNS Manager on its own DC and on all other DCs.
    3. All other places display this name.


    If we replace the STWN-AD03 with STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6 in this command: Move-ADDirectoryServerOperationMasterRole -Identity "STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6" -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster, can we run it successfully?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 3:39 AM
    Moderator
  • The name with the string "\0ACNF:" means the system has detected duplicate object names. one of the objects should be renamed.

    When two objects are created with the same Relative Distinguished Name (RDN) in the same parent Organizational Unit or container, the conflict is recognized by the system when one of the new objects replicates to another domain controller. When this happens, one of the objects is renamed (the RDN is "mangled") to make it unique. The new RDN will be <Old RDN>\0ACNF:<objectGUID>.

    See this Wiki describing the situation, how to find the duplicates, and how to fix the situation:

    https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx

    Edit: The string added to the end of the mangled object name is actually the GUID of the object. To find both objects in AD, you can use the following PowerShell:

    Get-ADObject -Filter {Name -Like "STWN-AD03*"}

    or you use the following dsquery command at the command prompt of a DC or client with RSAT:

    dsquery * -Filter "(Name=STWN-AD03*)"

    This should reveal the distinguished names of both objects. One object should be deleted, unless you know for sure that both physical computers actually exist. If you choose to retain the object with the mangled name, it should be renamed after deleting the duplicate.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, May 17, 2019 11:06 AM
  • Hi Daisy,

    Thanks for your reply, Here's answers to your questions.

    1. We have 3 Domains including root domain. 

    St.local, ak.ST.local, wn.ST.local

    2. We got 3 sites.

    Site A : ST.local & ak.ST.local. Site B: ST.local & wn.ST.Local. Site C: wn.ST.local

    3. repadmin /showrepl - All replication attempts are successful 

    4. repadmin /showrepl - All replication attempts are successful 

    Site A

    5.

    Not the problematic DC 

    6. All the DCs - in all AD sites and services, repadmin /showrepls 

    7. It shows correctly in Control Panel\System and Security\System

       1. Active Directory Users and Computers on its own DC and on all other DCs. - Shows correctly STWN-AD03
       2. DNS Manager on its own DC and on all other DCs. - Shows correctly all DCs
       3. All other places display this name. - Shows correctly STWN-AD03

    It did not work replacing the name with GUID as you suggested. Got the same error as last time.

    Thanks,

    Janindu


    Janindu Nanayakkara

    Sunday, May 19, 2019 11:58 PM
  • Hi Richard,

    Couldn't see any duplicates. 

    2016 DC

    2012 DC

    But GUID seems different form the one shows with repadmin /replsummary command.

    Any ideas? 

    Cheers,

    Janindu


    Janindu Nanayakkara

    Monday, May 20, 2019 12:11 AM
  • Hi,
    It is recommended that we add a new 2016 DC with another name instead of this DC called STWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6.

    And then check that this new DC is working properly, and AD replication is normal.

    Then transfer fsmo roles to this new 2016 server.

    At last, demote the DC called TWN-AD03\0ACNF:f99fb510-ffa7-b4ee-8ab93309a5f6.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 20, 2019 10:25 AM
    Moderator
  • It has been awhile since I experimented with duplicate object names. I created the objects for testing when I wrote the Wiki article I linked. I remember using the commands I suggested to see the distinguished names (DNs) of the objects. Is it possible the duplicate got deleted or renamed? I would try the following to find the duplicate with the mangled name.

    dsquery * -Filter "(Name=*CNF:*)"

    Or search for the object with the GUID.

    Get-ADObject -Filter {objectGUID -eq "f99fb510-ffa7-b4ee-8ab93309a5f6"}

    I should note, that the string "\0ACNF:" added to the name only results from AD recognizing that an object with a duplicate name has been created. The string "\0A" is a carriage return in hex. "CNF" stands for something like "Conflicting Name Found". The two objects must be created on different DCs before replication would prevent the duplicate. You may also have replication problems that makes finding the object difficult.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, May 20, 2019 12:03 PM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 22, 2019 12:51 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 6:57 AM
    Moderator