Solve the problem that the virtual machine cannot join the AD domain user and cannot log on remotely due to the server SID. sidad

Solve the problem that the virtual machine cannot join the AD domain user and cannot log on remotely due to the server SID. sidad

Recently, when I set up an AD Domain Controller in the company, I found that domain users cannot be added to the computer. That is, although the added users can log on locally, they cannot log on remotely, the final cause is the server SID conflict caused by the virtual machine. This document describes the cause and solution of the problem.

Add domain account

Add a user to the domain user, for example:

(Figure 1)

Add the user to the Development Group and then allow the user to remotely log on to another server:

(Figure 2)

You cannot log on, or even use the domain administrator. It seems that you must add a domain user to the local user group on the remote server:

(Figure 3)

Select the Administrators group, click Add, select a domain user, and then add. It is best to confirm.
Log On with the user in this domain, and the result is still the previous interface, so you cannot log on.
Return to the remote server again, open the Administrators group, and find that the previously added domain users are not added.
Repeat the preceding operation. The problem persists, and the domain user cannot be added to any local user group.

I went to the Group to consult with Daniel and gave various links. Some people said they were about local security policies, some said they were about firewall settings, and some said they were about Domain Controller settings.
Add the previous Domain users to the Active Domain Admins group and then log on to the remote server. The problem persists.

(Figure 4)

SID conflict

Finally, I found the original company's O & M colleagues for consultation. He told me that there may be SID conflicts because of a string following the domain username in the image above:

S-1-5-21-2625116194-3287851518-1169719709-500

On the command line, enter the following command:

C: \ Users \ Administrator> whoami/user information ---------------- username SID ======================== ======================================== dxn \ administrator S-1-5-21-2625116194-3287851518-1169719709-500

On the domain controller server, enter the command above, and the displayed SID value is the same as that of the remote server.
It seems that the question raised by my colleagues is true.

So what is SID?

After searching, find the following explanation:

SID is just the abbreviation of a security identifier. The full name of SID is Security Identify, which is a unique ID string (for example, a S-1-5-21-1454471165-1004336348-1606980848-5555) assigned to each account created in the domain or local computer ).

Each object in the Active Directory domain also has a unique identifier, which is a GUID. GUID = SID + RID. In the Active Directory, a master role named "RID" is assigned to each object in the domain. In the end, GUID is unique in all domains and even the world.
In fact, the computer uses SID to track each account: If the Administrator account is renamed, the computer still knows which account is the administrator account. This is because SID is different from the name and will never be changed.

Computer accounts are associated with some computer hardware information for higher security requirements. Because the Active Directory database no longer trusts the computer account, the computer account is considered insecure and the so-called security channel is damaged.

This is why the remote server fails to add domain users.

Configure SID

What is the reason for SID Repetition?

This is often because the system is cloned and installed, or the virtual machine is copied. These methods, despite the rapid installation and deployment of the system, cause the current problems. The solution is to reconfigure the system and generate a new SID. You can use the following command:

The volumes in C: \ Users \ Administrator> cd \ C: \> dir c: \ windows \ system32 \ sysprep drive C are not labeled. The serial number of the volume is the B0D1-4221 c: \ windows \ system32 \ sysprep directory 2010/11/22 <DIR>. 2010/11/22 <DIR> .. 2010/11/22 <DIR> en-US2015/12/17 <DIR> Panther2009/07/14 128,512 sysprep.exe 2010/11/22 <DIR> zh-CN 1 file 128,512 bytes 5 directories 91,940,900,864 available bytes c: \ windows \ system32 \ sysprep \ sysprep.exe

The following configuration program interface is displayed:

(Figure 5)

 

Program.

(Figure 6)

After a longer period of configuration, re-enter the system, add the current server to the domain, and then configure the logon permission for the domain user, that is, the preceding figure (Figure 3 ), it will not be followed by a long string of SID characters. After such configuration, the domain user can log on to the server remotely.

Finally, thank you for your support after reading this article (data development tool-SOD open source framework http://pwmis.codeplex.com ).