U-Tools: Unique Tools for Windows System Administrators

Security Identifiers

Q: When I run UPromote to create a Backup Domain Controller (BDC), the program asks for permission to change the security identifier (SID) of my computer. What is a Security Identifier?

A: A security identifier is a number that uniquely identifies a computer in a network. Each member computer in a domain has a unique SID. Windows networking requires that all the domain controllers in a domain must share the same SID. So when you add the BDC, its SID must be changed to match the PDC.

Q: Why does every domain need a unique SID?

A: The SID uniquely identifies a domain on the network. If two or more domains share the same SID, the member machines will appear to belong to both domains simultaneously. It is very important that each domain have a unique SID.

If you are using the DC on an isolated network (e.g., for testing or training), you do not need to change the SID.

Q: When UPromote changes the SID, it takes several minutes. What is it doing?

A: To change the SID, UPromote scans your entire registry and all of your files. It changes the registry keys and the ownership of the files to use the new SID.

Q: I heard I can move a BDC by using a SID-changing tool such as newsid or Symantec Ghost. Will this work?

A: No. While SID-changing tools may work fine for NT Workstation, they do not work for NT Server. Changing the SID is necessary but not sufficient to move a BDC. For example, the database serial number must be synchronized with the PDC. Otherwise password replication will fail. UPromote will update all necessary registry values, in addition to changing the SID.

Q: Why does UPromote ask to change the SID when it converts a DC back to a standalone machine?

A: If you convert a domain controller back to a standalone machine, UPromote must change the SID to avoid a clash with the remaining domain controllers. The only time you do not need to change the SID is if you are destroying the domain; i.e., you know for certain that no other DCs exist and that no member computers belong to the domain. During testing, for example.

UPromote Frequently Asked Questions