yeap. Which doesn't mean that you should now hurry and simply perform SID-History cleanup in your environment without doing the necessary investigations. Your environment might still heavily rely on SID-History without you realizing it...
Even if you've done your re-acling on all existing fileservers and you've got nothing left of the migrated NT4 domains, it is not uncommon, that companies that have leveraged the ADC during an Ex5.5 to E2k Migration still have loads of legacy SIDs on their Public Folders and even on many of their mailboxes. You might be fine from a FileSytem point of view - but Exchange 2000/2003 (depending on how you've migrated) is a totally different story. The newer migration tools will now also tackle PF re-acling and I'm sure that someone else will come up with some other nice scripts in the near future - but you'll definitely have to watch out for this. /Guido -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:10 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 27, 2003 7:41 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Problems with too many nested group > memberships > > > Tony, I believe that the 1000 SID limit is only relevant for NTLM > authentication - the Kerberos ticket excepts a far smaller > number of SIDs in > the Token by default (roughly 120). > > With the number of group-memberships that you have (likely > more than 120), > it sounds like you'll have to increase the MaxTokenSize value in your > environment (even after applying the fix > http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) > > As you'll be authenticated via Kerberos on the Server you're > trying to join > to AD at the time of joining it, I'd try to change the in the > MaxTokenSize > value in the registry on the server itself PRIOR to joining it to AD. > > Also - have the groups which the user is a mebmer of been > migrated with > SID-History? In this case you'll have 2 SIDs per group which further > decreases the number of "real" groups your Kerberos ticket > will be able to > accept by default to approx. 60. > > /Guido > > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED] > Sent: Dienstag, 26. August 2003 16:16 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Problems with too many nested group memberships > > I'm hoping someone can shed some light on this. > > The background.... > > A while ago some admins had problems joining servers to an AD > domain. The > error was: > > "The Parameter is incorrect" > > We narrowed it down to the fact that the admins with problems > had a large > number of nested group memberships (400+). If we removed the group > memberships the admin could join the server to the domain > with no problem. > We opened a call with Microsoft PSS, who advised us to > install the hotfix > mentioned in > http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 > > We duly installed the hotfix an all DCs. Now it seems we > have the problem > again, albeit intermittently. We re-opened the case with PSS > and they have > advised us that the problem is due to the accumulation of too > many SIDs in > the access token > (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the "problem" accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has "something" to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
