Issues where the Delivery Controller is un-joined and re-joined from the domain, we have to proceed with the creation of a new site, as the SID of the controller gets changed (this being an unsupported scenario and state when we have just one controller in the environment).

When we proceed with the same we may be required to change the host name of the controller to be able to remove the mapping of the controller completely from the database.

While creating the new site with the new name of the controller we might run into an issue with the exception 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException'

Error Id: XDDS:1252C91D

Exception:

    Citrix.Console.Models.Exceptions.ScriptException Unexpected error. Contact Citrix Support.

       at Citrix.Console.PowerShellInteraction.CmdletExecutionMethods.CreateException[T](ICommonLog logger, ExecutionResults`1 results, ICmdletExecutionHost host)

       at Citrix.Console.PowerShellInteraction.CmdletExecutionMethods.Execute[T](ISdkCmdlet`1 sdkCmd, ICmdletExecutionHost host, Boolean allowFailover)

       at Citrix.Console.PowerShellInteraction.SdkServiceBase.GetDatabaseScript(ICmdletExecutionHost cmdletExecutionHost, String instanceAddress, SdkScriptType sdkScriptType, String serviceGroupName, String controllerSid, Boolean databaseIsLocal, String databaseName, DataStore dataStore)

       at Citrix.Console.PowerShellSdk.DatabaseService.Scripts.GenerateSchemasScript.RunScript()

       at Citrix.Console.PowerShellInteraction.PowerShellScript`1.Run()

       at Citrix.Console.PowerShellSdk.DatabaseService.PSDatabaseService.GenerateSchemaForAllDatabases(String serviceGroupName, String databaseServer, String databaseName, ScriptType scriptType, Boolean sqlcmdScript, IProgressReporter progressReporter, ScriptExecutionContext context)

       at Citrix.Console.PowerShellSdk.DatabaseService.PSDatabaseService.CreateAllDatabasesInOneDataStore(UserCredentials credentials, String serviceGroupName, DataStoreModel dataStore, IProgressReporter progressReporter, ScriptExecutionContext context)

       at Citrix.Console.PowerShellSdk.SiteService.Scripts.CreateEmptySiteScript.RunScript()

       at Citrix.Console.PowerShellInteraction.PowerShellScript`1.Run()

       at Citrix.Console.PowerShellSdk.SiteService.Scripts.FullDeploymentScript.RunScript()

       at Citrix.Console.PowerShellInteraction.PowerShellScript`1.Run()

       at Citrix.Console.DeliveryCenter.UI.Dialogs.FullDesktopDeploymentWizardViewModel.Commit(IProgressReporter progressReporter)

       at Citrix.Console.CommonControls.Wizard.PageContainerViewModel.<CreateCommitProgressViewModelInternal>b__6(IProgressReporter progressReporter)

       at Citrix.Console.CommonControls.Wizard.CommitProgressViewModel.PerformOperationInternal()

    DesktopStudio_ErrorId : ExceptionThrown

    Exception : System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: Exception of type 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException' was thrown.

       at Citrix.Fma.Sdk.ServiceCore.Isolation.GetUuidOfComputer(SecurityIdentifier sid)

       at Citrix.Fma.Sdk.ServiceCore.DBInit.DBInitBase.GetSchemas(String databaseName, String serviceGroupName, String scriptType, Boolean localDatabase, String sid, String dataStore, String& schema)

       at Citrix.Fma.Sdk.ServiceCore.LogicBase.<>c__DisplayClass30.<GetSchemas>b__2f()

       at Citrix.Fma.Sdk.ServiceCore.LogicBase.Delegation[T](String name, Func`1 operation)

       at Citrix.Fma.Sdk.ServiceCore.LogicBase.GetSchemas(String databaseName, String serviceGroupName, String scriptType, Boolean localDatabase, String sid, String dataStore, String& schema)

       at Citrix.Fma.Sdk.ServiceCore.ServiceBase.<>c__DisplayClassa.<GetSchemas>b__9()

       at Citrix.Fma.Sdk.ServiceCore.ServiceBase.CheckedCall[T](String name, Func`1 operation, Func`2 defaultValue, Enum code)

    Reason : ActiveDirectoryObjectNotFoundException

    Message : Exception of type 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException' was thrown.

    Sdk Error Message : An exception occurred.  The associated message was Exception of type 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException' was thrown.

    Sdk Error ID : Citrix.XDPowerShell.Status.ExceptionThrown,Citrix.AdIdentity.Sdk.Cmdlets.DataStore.Commands.GetAcctDBSchemaCommand

    ErrorCategory : NotSpecified

    DesktopStudio_PowerShellHistory : Full Desktop Deployment

    12/16/2016 3:05:05 PM

    Get-AcctDBSchema  -AdminAddress "LXW12R2-CTX1.jmp.local" -DatabaseName "CitrixAppsBHM" -LocalDatabase -ScriptType "FullDatabase" -ServiceGroupName "AppsBHM"

    Get-AcctDBSchema : An exception occurred.  The associated message was Exception of type 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException' was thrown.

        + CategoryInfo : InvalidOperation: (:) [Get-AcctDBSchema], InvalidOperationException

        + FullyQualifiedErrorId : Citrix.XDPowerShell.Status.ExceptionThrown,Citrix.AdIdentity.Sdk.Cmdlets.DataStore.Commands.GetAcctDBSchemaCommand

We will have to reset/bypass the LSA Cache on the Controller (which might be holding the old name of the database) and allow the DDC to contact the Active Directory directly for authentication rather than it contacting the LSA cache on the server for the authentication of the machine account.

The local security authority (LSA) caches the mapping between the SID and the user name in a local cache on the domain member computer. The cached user name is not synchronized with domain controllers. The LSA on the domain member computer first queries the local SID cache. If an existing mapping is already in the local SID cache, the LSA returns the cached user name information instead of querying the domain controllers. This behavior is intended to improve performance.

The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.

To work around this issue, disable the local SID cache on the domain member computer. To do this, follow these steps:

1. Open Registry Editor.
2. Locate and then right-click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Point to New, and then click DWORD Value.
4. Type LsaLookupCacheMaxSize, and then press ENTER.
5. Right-click LsaLookupCacheMaxSize, and then click Modify.
6. In the Value data box, type 0, and then click OK.
7. Exit Registry Editor.

Note: The LsaLookupCacheMaxSize registry entry sets the maximum number of cached mappings that can be saved in the local SID cache. The default maximum number is 128. When the LsaLookupCacheMaxSize registry entry is set to 0, the local SID cache is disabled.

The LSA maintains a SID cache on domain member computers. This cache stores mappings between SIDs and user names. If the SID information exists in the local cache, the LSA returns the cached user name information instead of checking whether the user name has changed.

The local SID cache helps reduce domain controller workload and network traffic. However, inconsistency may occur between the local cache and the domain controllers.

IMPORTANT: It is recommended to revert back the LSA registry key value to 1 once the purpose is served.