TF50605: There was an error looking up the SID for OLD-DOMAIN\CCNETNIGHTLYBUILD.

In order to delete the workspace, we need to remap it to a valid user account. Here’s the process to do just that.

Firstly, we should list the workspaces on this computer we’re having problems with (in this case, BUILDSERVER01).

C:\>tf workspaces /owner:* /server:http://tfs-server:8080 | findstr BUILDSERVER01
Workspace		Owner				Computer	Comment
----------------------- ------------------------------- --------------- -------------------------------
BUILDSERVER01		saCCNetNightly			BUILDSERVER01	Temporary CruiseControl.NET Wo
BUILDSERVER01		OLD-DOMAIN\CCNETNIGHTLYBUILD	BUILDSERVER01 	Temporary CruiseControl.NET Wo
BUILDSERVER01		saCCNetNightly			BUILDSERVER01

We may as well attempt to delete the workspace, though the process is likely to fail as it wont be able to resolve the SID if the domain is no longer available.

C:\>tf workspace /delete /server:http://tfs-server:8080 BUILDSERVER01;OLD-DOMAIN\CCNETNIGHTLYBUILD
TF50605: There was an error looking up the SID for OLD-DOMAI\CCNETNIGHTLYBUILD.

At this point, we need to open up the TfsVersionControl table and manually point the workspaces to a valid identity. The first stage is to identify the ID of the missing account:

SELECT IdentityId FROM tfsVersionControl.tbl_Identity WHERE (DisplayName LIKE 'OLD-DOMAIN\CCNETNIGHTLYBUILD')

Now that we have the ID, we can locate the workspaces the owner has on the server we’re having problems with.

SELECT WorkspaceId, OwnerId, WorkspaceName FROM tfsVersionControl.tbl_Workspace WHERE (OwnerId = 311) AND (Computer = 'BUILDSERVER01')

We should now update the tfsVersionControl.tbl_Workspace table with a valid IdentityId from the tfsVersionControl.tbl_Identity table. Once that’s done, try the delete command again:

C:\>tf workspace /delete /server:http://tfs-server:8080 "BUILDSERVER01;Dave Hope"
A deleted workspace cannot be recovered.
Workspace 'BUILDSERVER01;Dave Hope' on server 'http://tfs-server:8080' has 0 pending change(s).
Are you sure you want to delete the workspace? (Yes/No) Yes

And hey presto, the workspace is gone.

I came across a product called Likewise, the free open-source version is available in the standard Ubuntu repositories. Here’s a quick guide for how to get up and running with likewise-open.

Firstly, install Likewise.

$ sudo aptitude install likewise-open

The final part of the installation will prompt you for some information about your Active Directory domain. If you need to change the settings you enter here run dpkg-reconfigure krb5-config.

The second screen asks you for an administrative domain controler where password changes will occur.

With the installation complete we now need to join the system to the Active Directory domain, this is accomplished with one simple command.

$ sudo domainjoin-cli join NWTRADERS.MSFT Administrator

I then wanted domain admins to be able to use sudo. This can easily be achieved by adding the following to the end of the /etc/sudoers file.

%NWTRADERS\\domain^admins ALL=(ALL) ALL

So I thought I’d document the process should anyone else find themselves in a similar situation. To do most of the below, you’ll need to be an Enterprise Admin.

1. Remove all the DNS entries for the missing DCs and the child domain. Make sure you get the GUID entries too.
2. Fire up ntdsutil and follow the below steps. When you select a server to connect to, connect to the operation master.
   ntdsutil: metadata cleanup
metadata cleanup:
metadata cleanup: connections
server connections:
server connections: connect to server london.nwtraders.msft
Binding to london ...
Connected to london using credentials of locally logged on user
server connections:
server connections: quit
metadata cleanup:
metadata cleanup: select operation target
select operation target:
select operation target: list domains
Found 2 domain(s)
0 - DC=nwtraders,DC=msft
1 - DC=child,DC=nwtraders,DC=msft
select operation target:
select operation target: select domain 1
No current site
Domain - DC=child,DC=nwtraders,DC=msft
No current server
No current Naming Context
select operation target:
select operation target: quit
metadata cleanup:
metadata cleanup: remove selected domain


   Depending on the exact situation, you may get an error about needing to remove a server first (Sorry, I can’t recall the exact error). If you do, there’s an extra step you need to undertake first.

   ntdsutil: metadata cleanup
metadata cleanup:
metadata cleanup: connections
server connections:
server connections: connect to server london.nwtraders.msft
Binding to london ...
Connected to london using credentials of locally logged on user
server connections:
server connections: quit
metadata cleanup:
metadata cleanup: select operation target
select operation target:
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=msft
select operation target:
select operation target: select site
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=msft
No current domain
No current server
No current Naming Context
select operation target:
select operation target: list servers in site
Found 1 server(s)
0 - CN=brisbane,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=msft
select operation target: select server 0

   Then repeat the first process to remove the server (remove selected server).

3. Open up Active Directory Sites And Services and remove any stranded servers.