SID changed on exchange, trust is broken between AD and exchange

Question

I V2V a Hyper-V guest in production running Exchange 2007 to ESXi 4.1 last night. Today I discovered that while the exchange works, I am not able to add new organizations and mailboxes to it. Been reading a little about the subject, and if I understand it correctly the SID has been changed, and therefor the trust between the AD and the Exchange server has been broken. It's to me a mystery users are able to use it at all then.

I have no prior experience of setting exchange up, so I'm willing to cross fire in order to get it working without doing a fresh install (using 'setup.exe /M:RecoverServer'?). From what I understand, I have about the following options:

Get old SID from old Hyper V based server and either change SID on the vmware exchange 2007, or change SID for the exchange in the AD. People seem to generally thing this is a world of trouble, but is it doable? I wouldn't be scared to test it out, I can always revert to snapshots of the virtual machine. Other Pros and Cons?
Re-install windows and exchange using the RecoverServer switch. Benefits would be R2 of windows 2008, and getting to know exchange in the process. But I know just a simple replacement of a ssl certificate was a hassle, and apparently we have loads of custom local rules because of the integration with (the now discontinued) DotNetPanel and the hosted exchange nature. To my knowledge, the DotNetPanel server binaries are no longer available, so it would also require us to fully test and then migrate 15 servers to WebSitePanel in production.
Reattach the mailbox databases to the old exchange 2007, and not being able to move from Hyper V on HP MSA hardware. Leave it be, move on and forget? :)
Throw in the towel and either get Microsoft support, or simply invest (a lot) in hiring a consultant.

Edit: The error message when creating a new mailbox is something like "Address list service failed". Will check the exact message when I arrive at work tomorrow. My apologies for not including it.

Edit 2: It's clearly not because of a change of SID, I will move this to a new post instead as the problem is completely unrelated to (a change of) SID. new thread here

Robert Moir: I saw your comment prior to it being deleted. Here's the answer: I did get some external help in establish that the change of SID is the root cause, so I will have to get back to you on how that was determined. As far as the SID being changed, it is to my knowledge always changed when significant hardware changes takes place, which it indeed does from moving it from hyper v to esxi. Is that incorrect? — 3molo, May 04 '11 at 18:47
What are the eventids of the errors in the event log? Such a process, p2v, v2v has never break any sids. Looks like your problem is somewhere else. — Vick Vega, May 04 '11 at 18:47
sorry, moved comment to an answer as I wanted to add a few recovery ideas that should get you going no matter what. As Vick Vega says, simply moving an install of Windows P2V, V2V or P2P *does not* change the SID and anyone who tells you differently shouldn't be allowed near your windows servers. So either that didn't happen or someone did something very odd and non-standard during the migration of the VM. — Rob Moir, May 04 '11 at 18:56
I'm a bit late to this party (sounds screwed up BTW, condolences!). I'm not entirely convinced your SID has changed, which I guess is a good thing. I assume you've rebooted the VM a couple of times for good measures? You'd be surprised what stopped services can do to Exchange and the weird and (usually totally off) wonderful error messages you get. What is the output of `Test-ServiceHealth` from the Exchange Management Shell? — Ben Pilbrow, May 04 '11 at 19:39

Rob Moir · Accepted Answer · 2011-05-04T19:07:15.170

5

So what are the errors you're actually experiencing, and how have you established that your migration changed the machine SID? I ask this because if it has, this is the first time I have seen this happen (simply moving a VM from one host to another doesn't, or at least shouldn't do this), so my first thoughts would be to look elsewhere for what the real problem actually is.

As for your recovery options:

Changing the SID makes me uncomfortable on an Exchange Server. Even if you can establish that this is the fault and change it back without causing a crash then I'd be unhappy to continue using that server. The other proposed solutions don't fill me with joy either (possibly because I don't understand what 15 dotnetnuke servers has to do with exchange)

At this point, I'd maybe see if I could add another mailbox role server to the exchange organisation then attempt a move mailbox. If that works then all should be gravy. If not then (this may scale badly depending on number of users, but its "dumb" enough to work pretty much no matter what) consider exporting mailboxes to a PST and then importing to a new mailbox server.

Edit

Just as a point of interest, what happens when you run the exchange best practices analyser on that server (and if present, another exchange server in the org)? That might shed some light on what has happened, and if its a common scenario then Microsoft are pretty good at linking to useful knowledge-base articles directly from the exchange BPA reports.

Secondly, just a silly point, you have checked all the usual name resolution of DCs is ok, that the time/date/timezone are correct, etc (seriously, time getting out of sync can be a big problem with virtual machine guests, and the time being wrong will make active directory pull a sad face when exchange tries to talk to it).

edited May 04 '11 at 19:07

answered May 04 '11 at 18:52

Rob Moir

31,664
6
58
86

DotNetPanel, web control panel for web hosters that allows customers to create organizations, mail accounts, distribution groups, web spaces etc etc. The mailbox databases are intact, and can easily be migrated or (iSCSI) initiated on the old Hyper-V guest. – 3molo May 04 '11 at 18:54
3

If you're sure the only problem is that you cannot add new mailboxes (again what error do you get) then regardless of why this happened I would still be looking to bring up a new mailbox role server and move the mailboxes over to it. I've done mailbox moves no end of times as part of exchange "swing" migrations from one version to another or onto new hardware. It's a good robust process that should work well unless the exchange org itself is pretty well boned, in which case you have to decide how much effort to invest in fixing the current setup before going for a svr -> .pst -> svr migration. – Rob Moir May 04 '11 at 18:59
He who told me it's (likely) SID problems, said that "yes the SID never changes, and because of the (virtualized) hardware changes exchange will nog work. I can not guarantee that this is the problem, I didn't see anything about SIDs in the event logs". – 3molo May 04 '11 at 19:28
2

He who told you that is either leaving out a *massive* back story about some important and non standard part of the process used to do this move, and I mean movie length back story, or (how do I put this delicately) they're grasping at straws and bluffing (lets face it, from what you say they've already gone from "SID changed, thats your problem" to "OK, SIDs don't change, so its the hardware...") I appreciate that its going to be difficult to get an explanation of which of those two it is from them, but it would be useful for you to know. – Rob Moir May 04 '11 at 19:37
@Robert: agreed, and I'd also like to point out that Exchange doesn't care *at all* about the underlying hardware, as long as it has enough resources to run and no disks/paths are missing. – Massimo May 04 '11 at 20:13
2

What you'd expect to see in a p2v migration is a OS activation notice, due to HAL changes. Not a SID change. – Holocryptic May 04 '11 at 21:34
Great help from all of you, decided to give Robert the correct answer as he was first to point out that a change of SID should not have taken place, and it seems it didnt. Please see my new thread! – 3molo May 05 '11 at 07:17

score 2 · Answer 2 · answered May 04 '11 at 19:20

2

As others have said, a P2V or V2V migration is not supposed to change the SID of the migrated computer, for the exact reason you're experiencing: it would not be anymore a working domain machine after completing the process, and this is not only a trouble for Exchange, but for anything running in a domain environment. So, unless someone or something ran Sysprep or NewSID or whatever on the machine, its SID should not have changed at all. Out of curiosity, how was the migration accomplished exactly?

That said, determining if this actually is the source of your problem is fairly easy: just have a look in the computer's event log for Event 5513 from the Netlogon service, as described here: http://support.microsoft.com/kb/150963; or for any other domain-logon-related errors: there should be plenty of them, if the trust relationship between the computer and its domain has actually been broken. If you can't see any, then a changed SID is very likely not your problem.

answered May 04 '11 at 19:20

Massimo

68,714
56
196
319

The migration was made using vmware converter, installed vmware guest tools and then NICs were reconfigured. I don't think it's related, but the Base Device Driver of vmware tools couldnt be found, I am currently trying to get that working on (yet another) migrated exchange (obviously with no network connectivity to not mess up) – 3molo May 04 '11 at 19:30
@3molo: I'm absolutely 100% sure that VMware converter doesn't change SIDs, as I've personally migrated countless domain-joined machines using it (and some domain controllers, too). Also, Windows *never* changes a SID on its own, be it for hardware changes or any other reason. – Massimo May 04 '11 at 20:10
@3molo: so, what about the system logs? – Massimo May 04 '11 at 20:10
Massimo: See the new thread, link in the bottom of my question – 3molo May 05 '11 at 07:17

score 0 · Answer 3 · answered May 04 '11 at 18:51

0

Sounds like the computer account is screwed up. I wonder what would happen if you stopped Exchange, took the server out of the domain, added it back in and rebooted? Can you put the virtual disk in differencing mode while you test this?

answered May 04 '11 at 18:51

uSlackr

6,337
21
36

I've seen many recommendations never to take an exchange out of an domain to rejoin it, are you sure about this? What exactly do you mean by differencing mode? Snapshotting? – 3molo May 04 '11 at 18:53
2

**I wonder what would happen if you stopped Exchange, took the server out of the domain, added it back in and rebooted?** I'm going to vote for "very bad things, followed shortly by a test of the backups". – Rob Moir May 04 '11 at 19:04
1

I am not sure about this. I suggest a $300 MS call – uSlackr May 04 '11 at 19:04
Well, the server is not working anyway, so it may be worth trying; also, when you remove a computer from a domain, the computer account is not deleted, nor is any Exchange-related object in the Configuration container (as this is not even supposed to happen). So maybe it *could* actually work... – Massimo May 04 '11 at 19:12
I still suggest using the $300 with MS support. They are very good. – uSlackr May 04 '11 at 19:13
That would be a TOTAL waste of money. – Vick Vega May 04 '11 at 20:13
Vick Vega: Can you please elaborate? – 3molo May 05 '11 at 07:18

SID changed on exchange, trust is broken between AD and exchange

3 Answers3

Linked