Wednesday, February 2, 2011

Duplicate SID's

Interesting challenge to conventional wisdom..."I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn't pose any problem, security or otherwise. " - Mark, of SysInternals fame.  In case you haven't heard of Mark, he's pretty much a legend.  Against what I've been taught, MS has concluded that duplicate local SID's within a domain is perfectly OK.  Domain SID's, on the other hand, need to be unique.


Gotta constantly re-evaluate commonly held truths I guess!


However, I have seen an issue: if the server you're joining to the domain has the same local SID as the DC, you will see some funky results.  The domain trust will not function correctly and you won't be able to log onto the member using domain accounts.


http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

1 comment: