Questions about SID numbers in the domain environment

Source: Internet
Author: User

When operating systems identify users and computers, they are not identified by names, but by SID numbers. What is a SID number? The Chinese name of a SID is a security identifier, this is a bit similar to our ID card number. It is a long string of characters. When you create an account, the system will assign it a SID number, after you delete this account, create another account with the same name, even if the password is the same, but the two accounts are definitely different, because the SID numbers are different. To view the SID of an account or computer, you need to use a tool named psgetsid produced by sysinternals:, This is a command line tool, you need to run the command in the CMD environment. When you run the command for the first time, a dialog box using the Protocol appears, for example:
Click "agree" or press Enter. If no parameter is provided, the SID of the current computer is checked by default. To view the SID of an account, follow the name of a specific account after the command.
In the domain environment, the domain also has a SID. This SID is the same as the SID of the first domain controller in this domain, for example:
As shown in the figure, the domain name is, and server2 is the first domain controller in the domain. We can see that the SID numbers of the two are the same. Create an account named test in AD and view the account SID:
It can be seen that the account named test has a SID number = Domain SID + a number, and this number is also called the RID (Relative ID ).
We all know that in Microsoft's domain environment, in order to avoid stability and reliability issues caused by a single DC, at least two DC servers need to be built in one domain. If we do not want a DC to continue serving as a DC, We need to uninstall the Active Directory components above it. On that day, a student asked me, since the SID of a domain is the same as that of the first domain controller, if there are multiple DC, unmount the Active Directory on the first DC in this domain to make it a member server. Will the SID of this domain change?
To be honest, this problem was really difficult for me at the time. I did not really think about this problem, nor did I do this experiment. However, based on experience and theoretical knowledge, the SID number of the domain will not change, but I'm not sure about it. I'm probably sure about it. Why am I so sure? Because SID is related to security settings, such as permission settings, if you downgrade a domain controller to change the domain SID, all the original security settings are invalid. This is extremely unreasonable, so I can conclude that the Domain SID number will not change. However, after all, this remains theoretical and still needs to be proved by facts. Therefore, I used VPC to build an experiment environment. The above is the experiment environment, then, the first domain controller of the domain is successfully downgraded to a Member Server (the specific process is not detailed, please refer to the relevant information), and then log on to a DC, use psgetsid to check whether the SID of the domain and the SID of the test account have changed. For example:
Obviously, the SID number hasn't changed, just like I guess. The machine that is downgraded to a Member Server (that is, the original master Domain Controller server2)
Is the SID number changed? Use psgetsid for viewing, such:
Obviously, the SID number has changed. It can be inferred that the SID number is re-generated when the domain controller is downgraded to a Member Server. In fact, in the domain environment, the SID of all domain controllers is the same as that of the domain controller. In other words, when you upgrade an operating system of a Server version to a domain controller, its SID is changed to the domain SID. On the contrary, when a domain controller is downgraded, a new SID is generated, which should be randomly generated.

From the windowsxpwyd Column

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.