Duplicate SIDs, Big Deal! Why you might not need to care.

Monday, February 16, 2009

Recently, I have been having some great conversations about the benefits of using golden images of servers and desktops to rapidly deploy using either templates or streaming image technologies.  Out of these conversations, an interesting piece of information was gleaned.  The SID or Security Identifier might not need to be unique in an Active Directory environment since the Domain will give the machine a Unique Domain Based SID and pretty much ignore the local SID anyway.

Before we all get nuts, let’s take a quick step back – I have always taken special measure when cloning or deploying templates to make sure to run either SysPrep or NewSID to ensure that the newly created machine would have a unique SID in the environment.  I have always been under the impression that horrible, terrible, unspeakable things would happen if there were duplicate SIDs in the environment.  Recently, a colleague of mine showed me a TechNet article that kind of implies that it’s not really a big deal (Technically) if there are duplicate SIDs in an Active Directory environment. (http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx)

Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well.

Another instance where duplicate SIDs can cause problems is where there is removable media formatted with NTFS, and local account security attributes are applied to files and directories. If such a media is moved to a different computer that has the same SID, then local accounts that otherwise would not be able to access the files might be able to if their account IDs happened to match those in the security attributes. This is not be possible if computers have different SIDs.

So basically, as far as I can tell, the only real issue is security (and if all the Local Administrator Accounts have the same password, it’s a non issue).  As an Consultant, all of my accounts and clients are in Domain environments so in theory, duplicate SIDs should not be an issue to any of them.  I am not sure about the support implications but right now I am primarily concerned with proving or dispelling the technical merit of unique SIDs.

Now it is still pretty easy to run NewSid or SysPrep when kicking out new machines via VirtualCenter, Ghost or whatever your method may be but I am curious about the answer to this question in a VDI or streaming situation.  With Citrix Provision server, for example, you can stream a single image to multiple machines that will all contain the same SID.   The same might happen in a VDI environment where linked clones or some other sort of image sharing technique is employed where it would be an additional challenge to guarantee the uniqueness of the SID on various machines.

Even with my research and reading, I am not sure I am ready to give up my NewSid habit just yet but am curious what everyone else thinks about the subject.  Please post your thoughts in the comments.  Thanks!

Next Post »