Add-ADDBSidHistory / There was a problem reading the database, which probably comes from a different OS / After Exchange 2019 Schema Update

[pbachmann77]

Hi Michael

New Issue, After Exchange 2019 Schema Update... only Schema, no PrepareAD We need Exchange Attributes in AD for M365 Sync

Server OS 2022 Active Directory Schema Version 88 Exchange Schema Version 17003

I can't Update SID.... in the past 3 Month, it's working, on the same Server without Exchange Schema

Message Add-ADDBSidHistory : There was a problem reading the database, which probably comes from a different OS. Try defragmenting it first by running the 'esentutl /d ntds.dit' command.

DEBUG: Opening the Active Directory database. Add-ADDBSidHistory : There was a problem reading the database, which probably comes from a different OS. Try defragmenting it first by running the 'esentutl /d ntds.dit' command.

[MichaelGrafnetter]

Hello @pbachmann77 , are you please able to reproduce the issue in a test environment and share the database file(s) with me? Also please be aware that SID updates through DSInternals are unsupported by Microsoft and might cause unexpected problems.

[pbachmann77]

Hi @MichaelGrafnetter You can simply recreate in LAB

1. Install DC 2022 with actual Patches
2. Download Exchange 2019 ISO CU14, newest
3. .\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareSchema
4. NO SID Update is possible

If you do "PrepareAD", SID Update is possible .\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /OrganizationName:"Test Local" BUT, you have all Exchange OU's, Users and Groups, that i never use

We only need the Exchange attributes in the AD, for example "extensionattribute1" For M365, AADC Sync

[MichaelGrafnetter]

@pbachmann77 I tried it in a lab environment and I was not able to replicate the issue. Are you please using the latest version of DSInternals? Would you please be able to share the problematic lab database, without any production data?

[pbachmann77]

Here you have 3 ZIP

• Normal NTDS Domain -> SID Change working [NTDS_only_Domain.zip] (https://github.com/MichaelGrafnetter/DSInternals/files/15421525/NTDS_only_Domain.zip)

• Exchange 2019 Schema Update -> SID Change NOT working NTDS_with_Exchange_Schema_Update.zip

• Exchange 2019 PrepareAD -> SID Change working NTDS_with_Exchange_PrepareAD.zip

[MichaelGrafnetter]

Thanks a lot, @pbachmann77, for sending the data. I am still unable to replicate the issue, as both of the following commands work on my Windows Server 2022 test DC with your sample DB without any issues:

Add-ADDBSidHistory `
   -SamAccountName Administrator `
   -DatabasePath 'C:\NTDS_with_Exchange_Schema_Update\ntds.dit' `
   -SidHistory 'S-1-5-21-3576572144-2942335999-2637578681-1001' `
   -Force `
   -Verbose

VERBOSE: Adding SID history to principal Administrator.

Get-ADDBDomainController -DatabasePath C:\NTDS_with_Exchange_Schema_Update\ntds.dit

Name                       : TESTSID01                                                                                                                            DNSHostName                : TESTSID01.test.local                                                                                                                 ServerReference            : CN=TESTSID01,OU=Domain Controllers,DC=test,DC=local                                                                                  DomainName                 : test.local                                                                                                                           ForestName                 : test.local                                                                                                                           NetBIOSDomainName          : TEST                                                                                                                                 DomainSid                  : S-1-5-21-3576572144-2942335999-2637578681                                                                                            DomainGuid                 : ffceaf07-43a8-452b-9186-c0df27cae2c2                                                                                                 Guid                       : 87ce8023-9842-4c6a-afcb-246ad93a33ca
Sid                        : S-1-5-21-3576572144-2942335999-2637578681-1001
DomainMode                 : Win2016
ForestMode                 : Win2016
SiteName                   : Default-First-Site-Name
DsaGuid                    : 08e89d65-1c4b-4925-b533-20cc09fbbf47
InvocationId               : 08e89d65-1c4b-4925-b533-20cc09fbbf47
IsADAM                     : False
IsGlobalCatalog            : True
Options                    : GlobalCatalog
OSName                     : Windows Server 2022 Standard
OSVersion                  : 10.0
OSVersionMajor             : 10
OSVersionMinor             : 0
DomainNamingContext        : DC=test,DC=local
ConfigurationNamingContext : CN=Configuration,DC=test,DC=local
SchemaNamingContext        : CN=Schema,CN=Configuration,DC=test,DC=local
WritablePartitions         : {DC=test,DC=local, CN=Configuration,DC=test,DC=local,
                             CN=Schema,CN=Configuration,DC=test,DC=local, DC=DomainDnsZones,DC=test,DC=local...}
State                      : Running
HighestCommittedUsn        : 36875
UsnAtIfm                   :
BackupUsn                  : 35445
BackupExpiration           : 11/12/2024 7:19:07 PM
Epoch                      : 21963

Could you please send me the following info?

• Version of the DSInternals module you are using.
• Version of your ESE library.

(Get-Item -Path C:\Windows\System32\esent.dll).VersionInfo.FileVersionRaw

Sample output:

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      20348  2340

• OS version

[pbachmann77]

[pbachmann77]

more Tests I have Restore AD with NTDS Files "with Exchange Schema" -> i can SID Change :-) It's possible that Permissions on NTDS Folder after Exchange Schema Update are changed...? Now i must Do a new Test from scratch...

Other Test Modifing NTDS Files, in other Folder, and Copy Back after Changes

[MichaelGrafnetter]

@pbachmann77 User Account Control (UAC) might be blocking your access to the NTDS directory indeed. I see that you are copying the DB files back an forth, which is very error prone (transaction logs, database epoch, etc.). Please do not do such operations on production DCs, if you don't know what exactly you are doing. There is a huge risk of damaging your AD this way.