none
TfsAdminUtil SID /change not migrating users

    Question

  • We have a TFS 2005 installation on a single box. Because of Active directory migration from one domain to another we ran the "TfsAdminUtil sid /change domainA domainB" command to migrate the users between the two domains. Most of the users got migrated are listed once but some get listed twice when running the "TfsAdminUtil sid" command   e.g. 

    Account Name                  Found    Equal to Windows SID
    -----------------------------------------------------------
    userA                      True     True
    userA                      True     False

    Found 17 SIDs in the database.
    Of these were 16 found in Windows and 4 had a different SID.

    How can I "force" the SID's to match up or get rid of the accountName who's SID does not equal the windows SID?

    Thanks

    Monday, October 20, 2008 9:23 AM

Answers

  • Out problem was not being able to create a new project in TFS 2005 as it was failing with the error "TF30170: the plugin Microsoft.ProjectCreationWizard.WorkItemTracking Failed during task WITS from group WorkItemTracking". Also the eScrum UI would not come up after our AD migration.

    We were under the impression that the cause for all these errors was because of the SID's were not matching for some users, as shown by the "TfsAdminUtil sid" command.

    As it turned out, it was a membership problem but it was a problem with a user that was marked as "synced up" by the "TfsAdminUtil sid" command (i.e. the results for this user was True True, and not True False). The "TfsAdminUtil sid" results were misleading or maybe they were not the right place for us to look at.

    Anyways, here's how we solved it:

    1. Turn on logging for the webservice's on the tfs application tier server and set it to the verbose level. See http://blogs.msdn.com/jefflu/archive/2005/08/11/450342.aspx i.e. set <add name="traceLevel" value="4" /> and <add key="commandLogging" value="All"/> in the web.config under \Microsoft Visual Studio 2005 Team Foundation Server\Web Services\ directory.

    2. From the log file generated , look for all the SID's its trying to resolve. Typically the group sid's (these arelonger than the user SIDs) are not problematic so you can just focus on the user sids.

    3. Use the "tfsSecurity.exe's /i SID:" option to see if all the SID's from the log file can be resolved or not. The non-resolving SID is the identitySid required for Step 2 from http://support.microsoft.com/kb/948679

    4. Complete the next steps mentioned in the KB article. 

    Thanks Bill for pointing us at this KB article.
    -Sourabh
    • Marked as answer by SourabhM Wednesday, October 29, 2008 8:09 PM
    Tuesday, October 28, 2008 6:44 PM

All replies

  • Hi SourabhM

    Please check http://support.microsoft.com/kb/948679.


    Please mark the replies as answers if they help and unmark them if they provide no help.
    • Proposed as answer by Bill.Wang Friday, October 24, 2008 2:42 AM
    Tuesday, October 21, 2008 2:05 AM
  • Hi Bill,
    Thanks for the response.

    The KB article mentions on how to fix the problem by updating the group membership using a webservice method. But we don't have any group memberships listed for the deleted SID's. So we can't use the webmethod to fix this.

    Any other ideas on how to fix these SID's not matching up or getting rid of the duplicate SID?

    Thx

    Monday, October 27, 2008 8:07 PM
  • If that is the case, the problem is a little complicated. The database is not in a normal state. We don't recommend deleting record from database directly. There can be some unpredictable side effect. I'd like to suggest you to open a support incident at http://support.microsoft.com/. After the problem is analyzed, there should be a workaround provided to you. 


    Please mark the replies as answers if they help and unmark them if they provide no help.
    Tuesday, October 28, 2008 7:08 AM
  • Out problem was not being able to create a new project in TFS 2005 as it was failing with the error "TF30170: the plugin Microsoft.ProjectCreationWizard.WorkItemTracking Failed during task WITS from group WorkItemTracking". Also the eScrum UI would not come up after our AD migration.

    We were under the impression that the cause for all these errors was because of the SID's were not matching for some users, as shown by the "TfsAdminUtil sid" command.

    As it turned out, it was a membership problem but it was a problem with a user that was marked as "synced up" by the "TfsAdminUtil sid" command (i.e. the results for this user was True True, and not True False). The "TfsAdminUtil sid" results were misleading or maybe they were not the right place for us to look at.

    Anyways, here's how we solved it:

    1. Turn on logging for the webservice's on the tfs application tier server and set it to the verbose level. See http://blogs.msdn.com/jefflu/archive/2005/08/11/450342.aspx i.e. set <add name="traceLevel" value="4" /> and <add key="commandLogging" value="All"/> in the web.config under \Microsoft Visual Studio 2005 Team Foundation Server\Web Services\ directory.

    2. From the log file generated , look for all the SID's its trying to resolve. Typically the group sid's (these arelonger than the user SIDs) are not problematic so you can just focus on the user sids.

    3. Use the "tfsSecurity.exe's /i SID:" option to see if all the SID's from the log file can be resolved or not. The non-resolving SID is the identitySid required for Step 2 from http://support.microsoft.com/kb/948679

    4. Complete the next steps mentioned in the KB article. 

    Thanks Bill for pointing us at this KB article.
    -Sourabh
    • Marked as answer by SourabhM Wednesday, October 29, 2008 8:09 PM
    Tuesday, October 28, 2008 6:44 PM