Authorizing user access when migrating domains
What’s the SID History attribute in Windows 2000?
SID History is an Active Directory (AD) user account object attribute that facilitates the authorization process when you migrate Windows domains. The attribute is available in Windows Server 2003 and Win2K. SID History helps in migration scenarios in which a new domain infrastructure is created in parallel with the old domain infrastructure (i.e., the period of time when the two infrastructures coexist and are both operational). In such a scenario, newly created user accounts in the new infrastructure often need to be able to access resources in the old infrastructure. The main problem in these situations is that resources in the old infrastructure are secured using ACLs that refer to old SIDs of user accounts defined in the old infrastructure.
To resolve this problem, Microsoft provides the ClonePrincipal API. When you create a new account, the API automatically adds the old account’s SID to the SID History attribute of the new account. The security logic that creates the user's access token then adds the content of the SID History attribute to the token. As a result, when the user logs on to the new infrastructure by using his or her new account, the access token will refer to the new SID and to the old SID. The user can then seamlessly access resources secured with the old SID hosted in the old infrastructure.
Microsoft Active Directory Migration Tool (ADMT—currently version 2.0) uses the ClonePrincipal API to add the old SID to the SID History attribute of the new SID. You can download ADMT for free from the Microsoft Web site at http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp.
SID History is not available in Win2K mixed-mode domains—it’s available only in Win2K native-mode domains. Although SID History eases the migration process, it also creates some interesting side effects, as follows:
- A migrated user who uses different SIDs represents a possible security breech. Because no one-to-one (1:1) mapping exists between a user's account and its SID, security auditing becomes difficult.
- Augmenting the number of entries in access tokens can result in token bloat. As a result, this augmentation can decrease network performance or let access tokens grow beyond 8KB, which is the current access token limit. Token bloat can also occur if a user belongs to too many groups.