3.1.1.9.2 objectSid Value Generation

This section is referenced by object creation triggers to update the objectSid attribute with a SID value. The SID value is generated by first generating a 32-bit unsigned integer value (the RID) and then concatenating that value with the account domain security identifier.

The key part of this section is how the RID is generated, because it MUST be unique for all time and space for a given domain. For all algorithms, once the RID is generated, the SID value is generated as specified in the previous sentence, and the objectSid attribute is updated with that value.

The simplest RID-generation algorithm is to maintain a counter and increment the counter for each RID that is issued. This algorithm is entirely sufficient for the non–domain controller case for this protocol. In a distributed environment, where any domain controller might be creating a security principal and therefore needs to assign a RID to that principal, the algorithm becomes more complicated. Many schemes are possible, up to and including a distributed counter, as described in [LAMPORT].

The RID-generation algorithm is different between a DC and non-DC configuration.

The following specifications present the constraints that MUST be satisfied when generating a RID. Generating RIDs in a monotonically increasing manner when possible (in addition to satisfying the constraints) is one implementation choice, but is not required.