After successfully completing the installation of a consolidated Exchange server (with UM) into a new lab network I was immediately presented with this error upon starting the Exchange Management Console.
Initialization failed
The following error occurred when retrieving user information for ‘SCHERTZ\administrator’:
The operation couldn’t be performed because objects ‘S-1-5-XXXXX-500’ couldn’t be found on ‘dc.schertz.local”. It was running the command ‘Get-LogonUser’.
Researching this error returned a handful of articles which were related to either containing a period in the NetBIOS domain name or general time synchronization issues between the Exchange servers and domain controllers. Nothing applied to my environment thus far.
Then I ran across a discussion in the TechNet forums that made a light-bulb go off. Using the Systems Internal tool PsGetSid I quickly checked the computer SID of the Exchange Server and compared it to the Domain SID on the domain controller.
Oops. Until now I had been using another common System Internals utility called NewSID on every cloned VM I deployed in lab and production environments. But that tool is no longer supported by Microsoft, does not work on Windows Server 2008 (causes blue-screen), and as been officially denounced by it’s author Mark Russinovich. The supported procedure is to use SysPrep but there has been a heated debate on weather that is even needed in terms of changing the machine SID.
For the past year I’ve been building and rebuilding lab and demo environments using mainly Server 2008 R2 and have been creating direct clones with duplicated SIDs and had not run into any issues. That includes various beta, release candidate, and RTM installations of Exchange Server 2007, 2010, OCS 2007, and Lync 2010. Typically I would use a combination of Windows Server versions and editions so often I was side-stepping the issue by having different source installations for the domain controllers and member servers. In this specific environment I used the same Server 2008 R2 Enterprise image for all servers.
Clearly I need to go back to using Sysprep as Exchange is not happy. But in the meantime I need to get Exchange Server functioning without rebuilding the entire Active Directory forest.
Resolution
1. Stop all Exchange Services
The simplest way to stop all the Exchange Server 2010 services is to first stop the Microsoft Exchange Active Directory Topology service which to also cause the majority of the other Exchange services to stop due to service dependencies. Once that is complete the only services left running should be the Microsoft Exchange Forms-Based Authentication and the Microsoft Exchange Information Store services.
- Issue the following commands from the Windows Command Prompt (or manually stop these services from the Services administration console).
net stop MSExchangeADTopology
net stop MSExchangeFBA
net stop MSExchangeIS
2. Backup Database
Even if this is a brand new installation it is still important to backup any mailbox databases as the recovery process will not recreate this data. Now that the Information Store service is stopped the databases are closed and can be copied to another location.
- Locate and copy the entire mailbox database folder on the Exchange Server to another server. The folder name will be unique to your installation of Exchange.
C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 1911135048
3. Redeploy Virtual Machine
Delete the existing Exchange virtual machine and either build a fresh installation (which will automatically create a unique computer SID) or reimage the same source VHD used previously. Make sure to follow up that process with a simple Sysprep or for a more granular approach check out Brian Desmond’s article.
- Shutdown and delete the existing Exchange Server virtual machine.
Because the new virtual machine will have the same name as the old server the cleanest way to handle this is to reset the computer account so that the new server will use the same object in AD which has already been granted rights to the Exchange organization as a server.
- Locate the Exchange server’s Computer Account in Active Directory User and Computers and select the Reset Account action.
- Deploy a new virtual machine for the Exchange Server and after the initial startup simply launch the Sysprep application, selecting the OOBE, Generalize, and Reboot options. Clicking OK will immediately reboot the virtual machine and begin the process.
C:\Windows\System32\sysprep\sysprep.exe
- After the server reboots complete the initial basic wizard and then rename the computer to the same name used by the previous Exchange Server deployment (e.g. EXCH). Validate that he computer SID is now unique.
- Join the server to the Active Directory domain.
4. Restore Database
Before reinstalling the Exchange Server components it is important to put the mailbox database files back on the redeployed server
- Manually recreate the path to the mailbox database files and restore the copied directory to the new virtual server.
C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 1911135048
5. Recover Exchange Server
Perform a recovery installation of Exchange Server after all prerequisite software has been reinstalled on the new server.
- From the command line on the new Exchange Server run the following setup command to begin the recovery installation process. This will pull configuration information about the previous Exchange server from Active Directory and reconfigure the new installation identically.
D:\>Setup /m:RecoverServer /InstallWindowsComponents
Welcome to Microsoft Exchange Server 2010 Unattended Setup
Setup will continue momentarily, unless you press any key and cancel the
installation. By continuing the installation process, you agree to the license
terms of Microsoft Exchange Server 2010.
If you don’t accept these license terms, please cancel the installation. To
review the license terms, please go toPress any key to cancel setup…………….
No key presses were detected. Setup will continue.
Preparing Exchange SetupCopying Setup Files COMPLETED
The following server roles will be recovered
Languages
Hub Transport Role
Client Access Role
Unified Messaging Role
Mailbox Role
Management ToolsPerforming Microsoft Exchange Server Prerequisite Check
Configuring Prerequisites COMPLETED
Language Pack Checks COMPLETED
Hub Transport Role Checks COMPLETED
Client Access Role Checks COMPLETED
Unified Messaging Role Checks COMPLETED
Mailbox Role Checks COMPLETEDConfiguring Microsoft Exchange Server
Preparing Setup COMPLETED
Stopping Services COMPLETED
Copying Exchange Files COMPLETED
Language Files COMPLETED
Restoring Services COMPLETED
Languages COMPLETED
Hub Transport Server Role COMPLETED
Client Access Role COMPLETED
Unified Messaging Server Role COMPLETED
Mailbox Server role COMPLETED
Exchange Management Tools COMPLETED
Finalizing Setup COMPLETEDThe Microsoft Exchange Server setup operation completed successfully.
Setup has made changes to operating system settings that require a reboot to
take effect. Please reboot this server prior to placing it into production.
- Manually restart the server as instructed.
- After the restart completes launch the Exchange Management Console and the verify that the original error is gone and the organization details appear.
- Most likely the database will need to be manually mounted after the restoration, so go to Mailbox Organization Configuration and mount the database.
So as to not waste next Sunday morning troubleshooting who-knows-what-else I’m moving back to using Sysprep on all cloned images again.
Nice article but will this also recover 3rd party certificates or will they have to be recreated?
The certificates are not stored in the database but on the server itself, so they would need to be exported prior to reimaging the server.
I have the exact same issue. My exchange server (in the main domain) and a domain controller for our subdomain have the same SID. I am only seeing the netlogon error, but everything else seems ok. Any reason why I should change the SID? What is I used sysprep would that work? I know that would have to add the machine back to the domain again, but would that break anything else?
If you just use Sysprep on the Exchange Server as is then you'll mess up the Exchange deployment pretty badly; it is advised to follow these steps instead.
All domain controllers in AD share the same SID. I am guessing, demoting a DC the SID should change also? Just wonder how it could happen that your Exchange Server had the same SID as your DC?
Gene, it was because all virtual server were duplicated from the same original server build prior to any dcpromo steps. The Machine SID never changes, unless sysprep is run.
I am happen that you solved my "The operation couldn’t be performed because objects ‘S-1-5-XXXXX-500’ couldn’t be found on ‘dc.schertz.local”. It was running the command ‘Get-LogonUser’." mystery.
I have installed and reinstalled so many times and finally found what the problem is.
Worked like a champ! You saved me a lot of time – thank you!
Worked perfectly! Thank you so much.
You probably saved me a good 20 hours with this post! Only issue I had was that my command line recovery would not accept the /InstallWindowsComponents switch.