Difference between a RID and a SID in Active Directory
SID (Security Identifier)
- An SID is a Security Identifier. It's the "primary key" for any object in an Active Directory.For example, users have SIDs, as do Printer objects, Group objects, etc. SID's are unique to a Domain.
- In Active Directory users refer to accounts by using the account name, but the operating system internally refers to accounts by their security identifiers (SIDs).
- For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local) and are never reused.
User SID structure:
RID (Relative Identifier)
- The relative identifier (RID) Is a variable length number that is assigned to objects at creation and becomes part of the object's security identifier.- Generating unique relative identifiers is a more complex process in a network domain Windows 2000 network domains can have several domain controllers, each of them a host for Active Directory, where account information is stored. This means that in a network domain there are as many copies of the account database as there are domain controllers.
- Every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes made to Active Directory on one domain controller are replicated to all other domain controllers in the domain.
- The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation .
- The process of generating unique relative identifiers is a single-master operation . One domain controller is assigned the role of relative identifier (RID) master , and it allocates a sequence of relative identifiers to each domain controller in the domain.
- When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID, and the relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller asks the RID master for another block.
Comments