The SID Myth
Amazing!
Admins, myself included, have worried about the machine SID for years and years. Way back it was ghosting, now it’s with virtualization. We made sure to create a new SID after creating servers from server images.
It turns out that this has been a non-issue all of this time, a non-issue that everyone, Microsoft, Mark Russinovich and administrators all over bought into for over a dozen years.
A few weeks back I heard rumor that Mark Russinovich was going to expire NewSID. I figured it was because there were just too many SID references to keep track of that he wasn’t going to maintain that tool forever. It turns out that it’s for a completely different reason.
The machine SID does not have to be unique for security reasons, and Microsoft applications don’t depend on it in their usage. Mark’s blog post here covers all of the details:
http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx
However, it’s important to note the difference between machine SIDs and domain SIDs. Additionally the machine name must be different, and the domain controllers themselves can’t have the same SID as any member servers.
I am watching this thread with interest because situations do arise where people run into issues with WSUS and other tools where generating a new SID resolves their issues. However Mark’s comments suggest that it’s related to the domain SID or the domain controller having the same SID as the members.
If, after some burn-in time, this is confirmed to be the case, it will save a lot of work that administrators spend considerable time worrying about . . . apparently needlessly.
Read the post, it covers it in great details.