Hi,
I've searched high and low for this, and have finally caved and decided to post a question on this topic.
I recently did some debugging on a failing WinRM configuration, and found that i missed a fundamental part of Active Directory knowledge (AD).
I ended up in a situation, where i wanted to verify that the identifier of the computer account on my Active Directory server, was correctly mapped to the computer on the network. So here it goes:
When a computer is installed with Windows, a local system SID is generated on that machine.
When that same computer is joined to a Windows domain, a domain GUID and SID are generated on the domain controller, and stored on the computer object.
I found however that the two SID are not the same, which according to google is correct. But this leaves me with a question.
What is it, that uniquely identifies the computer once it wants to authenticate to the AD?. I know a "trust" is build between the computer and the domain-controller. But what exactly is it, that (later on) makes the computer capable of identifying/authenticating
itself on the domain-controller?
It cant be the SID, as the local computer SID and Domain computer account SID are not the same. I could imaging that the domain SID was stored on the local computer, making the computer able to tell the domain controller who it is. But i cant find anything to support this?
There are many articles out there explaining all kind of stuff on the SID/GUID difference.
What security principles are in general, and not to forget Mark R's SID dublication myth
http://technet.microsoft.com/en-us/library/cc961625.aspx
http://technet.microsoft.com/en-us/library/cc780957%28v=ws.10%29.aspx
http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
I just cant find anything explaining this (for me) vital piece of information.
Cheers,
Kasper, Denmark