Thanks Joe and Guido All the groups are in the same domain. No SIDHistory with either the user account or the groups.
We have tried changing the MaxTokenSize value on the member server before the join, but it doesn't appear to make any difference. The really strange thing is that the joins sometimes work and sometimes don't. This happens even when using a test machine (VMWare, bridged networking) and the same account (and same group memberships). We are going down the NetMon route now to try and see what the difference is between the working and non-working joins. Only problem is that we are in a "join always works" phase right now! Argghgh. Tony ---------- Original Message ---------------------------------- From: "Joe" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 27 Aug 2003 08:10:55 -0400 I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of "real" groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background.... A while ago some admins had problems joining servers to an AD domain. The error was: "The Parameter is incorrect" We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the "problem" accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has "something" to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/