A. For a long time, it's been been understood that duplicate SIDs is a bad thing, so any environment that uses machine imaging always performs an action to reset the SIDs, such as using SYSPREP from Microsoft.
Mark Russinovich recently posted an article that says there's no problem with duplicate machine SIDs, because when a machine joins a domain, the domain SID is used, and no one at Microsoft can come up with a reason a duplicate machine SID is a problem.
It is important to realize that just because Microsoft security still functions with duplicate SIDs, it doesn't mean every application will. Some applications, rightly or wrongly, still use the SID to identify a machine uniquely, so if you have duplicate SIDs in an environment, you may see things start to break. Application developers have long assumed the machine SID in an environment will always be unique, which was Microsoft's official guidance.
At this point, I would still err toward ensuring your machines' SIDs are unique until you have time to perform in depth testing to ensure that no applications or services in your environment rely on unique machine SIDs.
Related Reading:- What are the problems with workstations having the same SID?
- Determining the SID of a Windows Group
- Q: Can two Active Directory (AD) accounts have identical SIDs? If so, how can I remove the duplicate account?
- Understanding Windows Service Hardening
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
