how a Domain SID is generated ??

Anyone have any info on this question.
The Domainpart of a SID is largely based on three 30bit numbers that are
based on ... what ?

info is much appreciated!

grt
Marcel

Ace
Wed Apr 23 03:58:53 PDT 2008

In news:8611845E-831A-45D1-A1A9-CEE6A9F2046C@microsoft.com,
Marcel <Marcel@discussions.microsoft.com> typed:
> Anyone have any info on this question.
> The Domainpart of a SID is largely based on three 30bit numbers that
> are based on ... what ?
>
> info is much appreciated!
>
> grt
> Marcel


Basically it's derived from the combination of the domain SID and the RID #
obtained from the RID pool for that type of object that is being created, to
create the SID. This is one reason why the RID Master role is important.

How Security Identifiers Work:
For domain accounts, the SID of a security principal is created by
concatenating the SID of the domain with a relative identifier (RID) for the
account. ...
http://technet2.microsoft.com/WindowsServer/en/Library/5dbc99be-7404-41a6-9be7-171d40c398db1033.mspx


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

Marcel
Wed Apr 23 04:20:00 PDT 2008

Ace,

Thanks for the swift response, however this doesn't answer my question. Let
me explain...

The Domain SID, taken from the technet-article you referred to is:

â?¢ A domain identifier (21-1004336348-1177238915-682003330), Contoso

What I would like to know is how the three (30bit) numbers are generated
when the Domain is created ? Is there a particular algorithm based on
hardware, date, time ?? Why are they seperated with dashes, are there three
separate algorithms ?

info appreciated

regards,
Marcel

"Ace Fekay [MVP]" wrote:

> In news:8611845E-831A-45D1-A1A9-CEE6A9F2046C@microsoft.com,
> Marcel <Marcel@discussions.microsoft.com> typed:
> > Anyone have any info on this question.
> > The Domainpart of a SID is largely based on three 30bit numbers that
> > are based on ... what ?
> >
> > info is much appreciated!
> >
> > grt
> > Marcel
>
>
> Basically it's derived from the combination of the domain SID and the RID #
> obtained from the RID pool for that type of object that is being created, to
> create the SID. This is one reason why the RID Master role is important.
>
> How Security Identifiers Work:
> For domain accounts, the SID of a security principal is created by
> concatenating the SID of the domain with a relative identifier (RID) for the
> account. ...
> http://technet2.microsoft.com/WindowsServer/en/Library/5dbc99be-7404-41a6-9be7-171d40c398db1033.mspx
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
>
>
>

Ace
Wed Apr 23 15:27:32 PDT 2008

In news:4E0BDD69-94EE-4773-98B0-72CD35E30784@microsoft.com,
Marcel <Marcel@discussions.microsoft.com> typed:
> Ace,
>
> Thanks for the swift response, however this doesn't answer my
> question. Let me explain...
>
> The Domain SID, taken from the technet-article you referred to is:
>
> . A domain identifier (21-1004336348-1177238915-682003330), Contoso
>
> What I would like to know is how the three (30bit) numbers are
> generated when the Domain is created ? Is there a particular
> algorithm based on hardware, date, time ?? Why are they seperated
> with dashes, are there three separate algorithms ?
>
> info appreciated
>
> regards,
> Marcel

That my friend is propietary Microsoft protected information. For if we all
knew that, we can develop apps to impersonate just about anything on the
machine, correct? There are about 250+ (IIRC) APIs that Microsoft released
the availability most of them except about 50 or so of them, to developers
so they can re-design apps (backup, TAPI APIs, etc) to work under Windows
instead of being confined to the API limitations. The ones they did not
release are security algorithms and other security aspects that if released,
well, you get my drift.

I can tell you one thing, the domain SID, wihch is generated during the
dcpromo process, and more than likely creates the RID pool (for the first DC
in the domain/forest) during the promotion process, which it then takes RID
#s as the promotion process needs to create the base default domain objects.
This can't be reproduced as what I think you are implying or trying. This is
why you can't simply take a DC with the same name and expect it to work with
a domain of the same name. Underneath it uses the SIDs and GUIDs to identify
the DC, not the name.

The dashes are delimiters for various components of the SID, as the article
explains.

Also I remember somewhere that the date and time is a factor during
generation as well giving it uniqueness. Don't quote me on that, and maybe
someone else here can give you more specifics than I can.

Curious, what are your intentions?

Ace

Marcel
Thu Apr 24 00:15:01 PDT 2008

I agree as to what you're explaing and fully agree... :-)

Found a situation where numbers (not all) matched up, in totally different
locations.
That triggered the question.

Marcel


"Ace Fekay [MVP]" wrote:

> In news:4E0BDD69-94EE-4773-98B0-72CD35E30784@microsoft.com,
> Marcel <Marcel@discussions.microsoft.com> typed:
> > Ace,
> >
> > Thanks for the swift response, however this doesn't answer my
> > question. Let me explain...
> >
> > The Domain SID, taken from the technet-article you referred to is:
> >
> > . A domain identifier (21-1004336348-1177238915-682003330), Contoso
> >
> > What I would like to know is how the three (30bit) numbers are
> > generated when the Domain is created ? Is there a particular
> > algorithm based on hardware, date, time ?? Why are they seperated
> > with dashes, are there three separate algorithms ?
> >
> > info appreciated
> >
> > regards,
> > Marcel
>
> That my friend is propietary Microsoft protected information. For if we all
> knew that, we can develop apps to impersonate just about anything on the
> machine, correct? There are about 250+ (IIRC) APIs that Microsoft released
> the availability most of them except about 50 or so of them, to developers
> so they can re-design apps (backup, TAPI APIs, etc) to work under Windows
> instead of being confined to the API limitations. The ones they did not
> release are security algorithms and other security aspects that if released,
> well, you get my drift.
>
> I can tell you one thing, the domain SID, wihch is generated during the
> dcpromo process, and more than likely creates the RID pool (for the first DC
> in the domain/forest) during the promotion process, which it then takes RID
> #s as the promotion process needs to create the base default domain objects.
> This can't be reproduced as what I think you are implying or trying. This is
> why you can't simply take a DC with the same name and expect it to work with
> a domain of the same name. Underneath it uses the SIDs and GUIDs to identify
> the DC, not the name.
>
> The dashes are delimiters for various components of the SID, as the article
> explains.
>
> Also I remember somewhere that the date and time is a factor during
> generation as well giving it uniqueness. Don't quote me on that, and maybe
> someone else here can give you more specifics than I can.
>
> Curious, what are your intentions?
>
> Ace
>
>
>

Ace
Thu Apr 24 21:03:36 PDT 2008

In news:7C471927-78FF-4668-9BCE-0CBF3CF277B7@microsoft.com,
Marcel <Marcel@discussions.microsoft.com> typed:
> I agree as to what you're explaing and fully agree... :-)
>
> Found a situation where numbers (not all) matched up, in totally
> different locations.
> That triggered the question.
>
> Marcel

Well, one will never know without asking! I hope it was helpful.

Ace

Jorge
Thu May 08 06:53:56 PDT 2008

the domain SID is based on the SID of the server that is promoted as the
first DC in the domain. after that the RIDs are managed by the RID FSMO

For example: clone a server WITHOUT changing the computer SID, then promote
one and then the cloned one. It will fail saying something like that the SID
already exists (or something similar)
also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Marcel" <Marcel@discussions.microsoft.com> wrote in message
news:8611845E-831A-45D1-A1A9-CEE6A9F2046C@microsoft.com...
> Anyone have any info on this question.
> The Domainpart of a SID is largely based on three 30bit numbers that are
> based on ... what ?
>
> info is much appreciated!
>
> grt
> Marcel