RE: [ActiveDir] Problems with too many nested group memberships
Hi Joe - I had already studied the 327825 fix, but have re-read it again now - thanks for the hint. It doesn't really state any specifics about how it changes the storage of the SIDs in a Kerberos ticket, but the new formula given for the calculation does provide some hints that confirm your statement rdg. the RIDs being used. Basically I'd interpret is as such that all Domain Local Groups (even from the own domain) plus all groups from external domain AND all SID-History SIDs are stored as full SIDs in the token, while only all global and universal groups from the own domain are stored as RIDs. This means, that the SID-History tokens (which are naturally from external domains anyways) will definitely make quite a difference in the token sizes... A rough calculation according to the new formula allows to store approx. 225 groups (50/50 internal/external) without requiring to increasing the MaxTokenSize limit. And with almost all objects containing SID-history, I'd say this fix will grant you approx. 100 real group memberships (ofcourse everyone's milage will vary, depending on the group types...) /Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 29. August 2003 05:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Hey Guido. It seems that the notechain I have involves the fix in 327825 and that applying that change to the DC's should be enough because the client pieces were already in place or had been in place all along. The client handles the whole expansion process and looking at the post from Carlos (thanks Carlos and Hi right back at ya) the GroupCount/GroupIds fields explanation for the kerb ticket seem, at least to me at first blush, to be verification. The note chain I have is very high level, no level of detail like the doc Carlos posted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, August 28, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Also I seem to recall them saying that the functionality has been on the client receiving side for some time, they just never added the functionality to the DC side because I had responded with a question similar to yours Guido. joe -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 7:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships I'll see if I can dig up the note I have from PSS on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, August 28, 2003 3:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Joe, do you have any more info on this? I'm just wondering how this should work - if a Kerberos token only stores the RID of a group, which process would then explode that information to the full SID format when it is needed to analyse ACLs for the effective permissions of the user? If this is done by a certain fix (which one?) then this would change the whole picture of authentication processing for Windows 2000 and would probably be required on all machines that receive this new version of the Kerberos ticket... Would be glad to read more about this - thanks, Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining
RE: [ActiveDir] Problems with too many nested group memberships
Hey Guido. It seems that the notechain I have involves the fix in 327825 and that applying that change to the DC's should be enough because the client pieces were already in place or had been in place all along. The client handles the whole expansion process and looking at the post from Carlos (thanks Carlos and Hi right back at ya) the GroupCount/GroupIds fields explanation for the kerb ticket seem, at least to me at first blush, to be verification. The note chain I have is very high level, no level of detail like the doc Carlos posted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, August 28, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Also I seem to recall them saying that the functionality has been on the client receiving side for some time, they just never added the functionality to the DC side because I had responded with a question similar to yours Guido. joe -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 7:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships I'll see if I can dig up the note I have from PSS on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, August 28, 2003 3:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Joe, do you have any more info on this? I'm just wondering how this should work - if a Kerberos token only stores the RID of a group, which process would then explode that information to the full SID format when it is needed to analyse ACLs for the effective permissions of the user? If this is done by a certain fix (which one?) then this would change the whole picture of authentication processing for Windows 2000 and would probably be required on all machines that receive this new version of the Kerberos ticket... Would be glad to read more about this - thanks, Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due
RE: [ActiveDir] Problems with too many nested group memberships
or you've consolidated multiple domains with overlapping users and groups and have (deliberately) merged these into the same AD user group... /Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 28. August 2003 00:34 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships At least. If you have multiple sids in the token history you could use even more space. Say the case that you moved a group between domains multiple times, you would have a SID for every move + the final domain sid which was current. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, August 27, 2003 8:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
Joe, do you have any more info on this? I'm just wondering how this should work - if a Kerberos token only stores the RID of a group, which process would then explode that information to the full SID format when it is needed to analyse ACLs for the effective permissions of the user? If this is done by a certain fix (which one?) then this would change the whole picture of authentication processing for Windows 2000 and would probably be required on all machines that receive this new version of the Kerberos ticket... Would be glad to read more about this - thanks, Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
I'll see if I can dig up the note I have from PSS on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, August 28, 2003 3:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Joe, do you have any more info on this? I'm just wondering how this should work - if a Kerberos token only stores the RID of a group, which process would then explode that information to the full SID format when it is needed to analyse ACLs for the effective permissions of the user? If this is done by a certain fix (which one?) then this would change the whole picture of authentication processing for Windows 2000 and would probably be required on all machines that receive this new version of the Kerberos ticket... Would be glad to read more about this - thanks, Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
RE: [ActiveDir] Problems with too many nested group memberships
Also I seem to recall them saying that the functionality has been on the client receiving side for some time, they just never added the functionality to the DC side because I had responded with a question similar to yours Guido. joe -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 7:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships I'll see if I can dig up the note I have from PSS on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, August 28, 2003 3:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Joe, do you have any more info on this? I'm just wondering how this should work - if a Kerberos token only stores the RID of a group, which process would then explode that information to the full SID format when it is needed to analyse ACLs for the effective permissions of the user? If this is done by a certain fix (which one?) then this would change the whole picture of authentication processing for Windows 2000 and would probably be required on all machines that receive this new version of the Kerberos ticket... Would be glad to read more about this - thanks, Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http
RE: [ActiveDir] Problems with too many nested group memberships
Title: RE: [ActiveDir] Problems with too many nested group memberships
Here is some info just to understand what sits inside the ticket and how its used,
To validate the request and the digital signature on it, the KDC will first validate a certificate. The KDC will query the Active Directory for a mapping between the certificate and a Windows 2000 SID; if it finds a mapping, it will issue a TGT for the corresponding SID.
The Windows 2000 KDC creates a new service ticket for the user principal to access the resource.
INFO IN THE TICKET:
KickOffTime - the time at which the server should forcibly logoff
the client. If the client should not be forced off, this
field should be set to (0x7fff,0x).
UserId - This field contains the relative Id for the client. If
zero, then the User ID is the first SID in the ExtraSids
field.
PrimaryGroupId - This field contains the relative ID for this
clients primary group.
GroupCount - This field contains the number of groups, within the
clientÆs domain, to which the client is a member.
GroupIds - This field contains an array of the relative Ids and
attributes of the groups in the clients domain of which the
client is a member.
UserFlags - This field contains information about which fields in
this structure are valid. The two bits that may be set are
indicated below. Having these flags set indicates that the
corresponding fields in the KERB_VALIDATION_INFO structure
are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonDomainId - This field contains the SID of the clientÆs domain.
This field is used in conjunction with the UserId,
PrimaryGroupId,and GroupIds fields to create the user and
group SIDs for the client.
SidCount - This field contains the number of SIDs present in the
ExtraSids field. This field is only valid if the
LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
ExtraSids - This field contains a list of SIDs for groups to which
the user is a member. This field is only valid if the
LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
ResouceGroupCount - This field contains the number of resource
groups in the ResourceGroupIds field. This field is only
valid if the LOGON RESOURCE_GROUPS flag has been set in the
UserFlags field._
ResourceGroupDomainSid - This field contains the SID of the resource
domain. This field is used in conjunction with the
ResourceGroupIds field to create the group SIDs for the
client.
ResourceGroupIds - This field contains an array of the relative Ids
and attributes of the groups in the resource domain of which
the resource is a member.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The
FILETIME type is defined as follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;
Times are encoded as the number of 100 nanosecond increments since
January 1, 1601, in UTC time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The
UNICODE_STRING structure is defined as:
typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ]
USHORT * Buffer;
} UNICODE_STRING;
The Length field contains the number of bytes in the string, not
including the null terminator, and the MaximumLength field contains
the total number of bytes in the buffer containing the string.
The GROUP_MEMBERSHIP structure contains the relative ID of a group
and the corresponding attributes for the group.
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
The group attributes must be:
#define SE_GROUP_MANDATORY (0x0001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x0002L)
#define SE_GROUP_ENABLED (0x0004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
The constant value for the NT Authority is
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
} SID, *PSID;
The SubAuthorityCount field contains the number of elements in the
actual SubAuthority conformant array. The maximum number of
subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and
their corresponding attributes:
typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
The attributes are the same as the group attributes defined above.
Signatures (PAC_SERVER_CHECKSUM and PAC_PRIVSVR_CHECKSUM)
The PAC contains two digital signatures: one using the key of the
server, and one using the key of the KDC. The signatures are present
for two reasons. First
RE: [ActiveDir] Problems with too many nested group memberships
Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
Thanks Joe and Guido All the groups are in the same domain. No SIDHistory with either the user account or the groups. We have tried changing the MaxTokenSize value on the member server before the join, but it doesn't appear to make any difference. The really strange thing is that the joins sometimes work and sometimes don't. This happens even when using a test machine (VMWare, bridged networking) and the same account (and same group memberships). We are going down the NetMon route now to try and see what the difference is between the working and non-working joins. Only problem is that we are in a join always works phase right now! Argghgh. Tony -- Original Message -- From: Joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 27 Aug 2003 08:10:55 -0400 I agree on the cleanup the sid history's. Also the number of groups you are in before you break can vary greatly based on where in the forest the groups are located at. One of the fixes implemented changes how the group information is stored in the token, if the groups are all local to the domain the user is in then only the RID is needed, however if the groups are from other domains, the entire SID is stored this would be the difference in space usage of something like: S-1-5-21-1275210071-789336058-1957994488-3146 and 3146 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
Sounds identical to some problems that Shell has experienced recently. John Peck Shell Information Technology International IT Infrastructure Projects (Phone) 713-245-2183 (Office) IC - 5S06 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:41 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems with too many nested group memberships
yeap. Which doesn't mean that you should now hurry and simply perform SID-History cleanup in your environment without doing the necessary investigations. Your environment might still heavily rely on SID-History without you realizing it... Even if you've done your re-acling on all existing fileservers and you've got nothing left of the migrated NT4 domains, it is not uncommon, that companies that have leveraged the ADC during an Ex5.5 to E2k Migration still have loads of legacy SIDs on their Public Folders and even on many of their mailboxes. You might be fine from a FileSytem point of view - but Exchange 2000/2003 (depending on how you've migrated) is a totally different story. The newer migration tools will now also tackle PF re-acling and I'm sure that someone else will come up with some other nice scripts in the near future - but you'll definitely have to watch out for this. /Guido -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 27. August 2003 14:10 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] Problems with too many nested group memberships
At least. If you have multiple sids in the token history you could use even more space. Say the case that you moved a group between domains multiple times, you would have a SID for every move + the final domain sid which was current. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, August 27, 2003 8:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problems with too many nested group memberships By extension, if you're got nested groups that carry SID-history baggage, does that mean that you're further limited? In other words, a nested group pair, where both groups have SID history defined, takes 4 token slots? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems with too many nested group memberships Tony, I believe that the 1000 SID limit is only relevant for NTLM authentication - the Kerberos ticket excepts a far smaller number of SIDs in the Token by default (roughly 120). With the number of group-memberships that you have (likely more than 120), it sounds like you'll have to increase the MaxTokenSize value in your environment (even after applying the fix http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) As you'll be authenticated via Kerberos on the Server you're trying to join to AD at the time of joining it, I'd try to change the in the MaxTokenSize value in the registry on the server itself PRIOR to joining it to AD. Also - have the groups which the user is a mebmer of been migrated with SID-History? In this case you'll have 2 SIDs per group which further decreases the number of real groups your Kerberos ticket will be able to accept by default to approx. 60. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Dienstag, 26. August 2003 16:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems with too many nested group memberships I'm hoping someone can shed some light on this. The background A while ago some admins had problems joining servers to an AD domain. The error was: The Parameter is incorrect We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266 ). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the problem accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has something to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
