“The SDDL string contains an invalid sid or a sid that cannot be translated”

by Doug on November 23, 2011

in Active Directory,AD LDS,ADAM,Schema,Windows

If you have arrived at this page because of a search covering the nefarious (and cryptic) error message, “The SDDL string contains an invalid sid or a sid that cannot be translated”, then search no further.  Of course, I should mention that this error, although being unique, is one that can actually occur for many different Microsoft products.  However, for the intent and purpose of this post, I am referring to this exception being thrown while attempting to synchronise ADAM/AD LDS with Active Directory using ADSchemaAnalyzer.

I have been contacted about this error a few times and, it was not until the last time I was contacted, that it finally clicked for me as to why this was occurring.  Here is the very quick answer for those who do not want to wait:

If you get this error while trying to sync your ADAM/AD LDS instance with Active Directory, it simply means that the host from which the sync is being initiated is not joined to the domain, thus not trusted to perform any sync activities.

Now for a bit of a longer answer.  When you synchronise your ADAM/AD LDS instance with Active Directory, you are attempting to enter into a trusted relationship with AD.  This is no different than walking up to someone you know and saying, “Hey, I need to copy down your emergency contact info in the event that I need to use it at a later date”.  If you do not know the aforementioned person, you will not get the data because you are not trusted by/known to them.  This would otherwise be known as, “Piss off, I really do not have time for this…stalker.”  Ok, perhaps we should not look at ADAM/AD LDS as “stalkers”, but I think the point is made.  In order to get the information you want/need, there needs to be some trust in the relationship between the two entities.

The trust that needs to take place between an ADAM/AD LDS instance and an Active Directory DC comes in the form of being domain-joined (you have set your DNS to the AD DC and, you have an identity on the DC that can perform synchronisation activities (e.g. security group membership, username/password).  When you have both of these items and you attempt to synchronise your ADAM/AD LDS instance with your DC, the conversation go a little something like this:

“Hey, Win2k8R2.fnet.local, I know we have to spoken in a while, but I wanted to catch up with and see what has been going on with you.  You remember, right?  I joined your group approximately a year ago and have been working with your server team.  I have recently been promoted and need to get some additional information from you.  You need to vet and verify me?  Not a problem, here is the information you need to know.”  And on and on until they finally synchronise information to the ADAM/AD LDS instance.

Without this trust, the conversation would go nowhere because the ADAM/ AD LDS server is not known, therefore now trusted, by the DC.

You might be wondering, “Doug, did you not show us how to disable directory security to allow for a sync without using SSL?”  Yes, I did, but that is simply allowing traffic to pass in the clear between two trusted devices; This is not recommended, but is certainly helpful when first setting up a synchronised ADAM/AD LDS instance.  In addition, it is not the same because the DC does not have any reference point (SID) for the ADAM/AD LDS instance/server that is trying to perform the sync.

In the long run, this makes perfect sense simply for the fact of security and trust.  I did look into the possibility of getting around this, but then considered the ramifications of getting this untrusted connection/sync to work; I would essentially be showing you how to subvert necessary safeguards that have been built into Active Directory to help preclude this type of activity from occurring.  Also, the last thing I want is for one of you to come back to me and say, “Thanks for helping me do something stupid on my network…the system was compromised and now our data is in the wild”.  I am not saying that a server cannot be compromised without this, but I do not want this to only add insult to injury.

So, there you have it.  Finally, a reason why you are getting the error, “The SDDL string contains an invalid sid or a sid that cannot be translated”.

{ 2 comments }

Update: New Exotic Wood Handle Materials

by Doug on September 19, 2011

in Custom Creations,Lock Picks

I wanted to dust off this blog and provide a materials stock update.  The following new woods are available for handle options once I re-open the store:

  • York Gum Burl – I purchased a cap of this fine burl from Hearne Hardwoods (linked) this weekend.  I absolutely love the figuring of this burl.  This is going to make some phenomenal handles.  Super dense.
  • Tulipwood – From Hearne Hardwoods, as well, this Tulipwood is phenomenally figured and should make some awesome handles.
  • Wych Elm Burl – Hearne Hardwoods has a section outside of their warehouse where they stack burl slabs and price them at $2 to $4 per pound.  I picked up two very nice (large) caps that came to only $30.  I have started cutting it and will be stablizing it soon.
  • Eucalyptus Burl
  • Curly/Premium Koa
  • Rambutan Burl
  • Spalted Cinnamon
  • Milo
  • Pink Ivory
  • Cherry
  • Sycamore
  • Big Leaf Elm Burl (although it looks more like Amboyna Burl)

At this point, I have enough wood to keep me in handles for a long time to come.  I am really excited to start working with each of these.

{ 0 comments }

Suspending Orders

by Doug on August 23, 2011

in Custom Creations,Lock Picks

Hey all,

I wanted to let you know that I am suspending orders until I am caught up with my current orders.  The pressure of having a day job, family and four orders beyond the 9-pick set on which I am working right now is too much.  I love making picks and want to keep it that way, thus the suspension of orders.  The additional reason is to make some picks that I want to make and then sell them on my site once I am done.  Any orders that have been placed will be made  in the order in which they were placed, so do not worry if you already ordered.  If you have any questions or comments, please do not hesitate to contact me.

-Doug

{ 0 comments }

One of my custom lock picks in action

by Doug on July 27, 2011

in Custom Creations,Lock Picks

I was doing a search in google for “ChonkyTonnks Lock Picks” (ChonkyTonks is my handle in the lock picking world) and found an awesome video from LSA showing one of my custom picks in action.  Awesome work, LSA!

{ 0 comments }

Lock Pick Orders Queue Update

07.19.2011

I wanted to post an update for everyone who has an order in the queue right now.  Currently, I am working on a 9-pick order which should take me a fair amount of time to complete (intricate designs).  I am hoping to be finished with said order in August.  Once you are up in the [...]

Read the full article →

Custom Creations: Ergonomics in design

06.30.2011

Here is, yet another, custom creation of mine: A notched hook with a custom ebony handle.  This was a fun pick to make, but a bitch to finish since I have been testing a lot of wood finishing techniques that left a lot to be desired.  I feel like I am now getting a handle [...]

Read the full article →

The Spice

06.04.2011

This was a fun pick to make.  I have never worked with Amboyna Burl before, but absolutely love the amount of figuring in the wood, along with the amazing smell of it, too.  I tried a shellac finish, but ended up sanding it back down to the wood so I could give it a matte [...]

Read the full article →

Yeah, I accidentally the whole last month…

05.26.2011

Has it really been two months since I last posted?  Yes, it has.  If you are expecting to see a veritable onslaught of new, custom picks that I have created, you are about to be let down.  In the last two months, I have only finished one pick.  Call me a slacker, if you must. [...]

Read the full article →

Custom Creations: 3-Piece Set

03.24.2011

Due to work and home life, my pick making has slowed down a bit.  It is a good change, however, as I was running a little hot from the initial influx of orders.  That has since calmed down and I am back to taking my time and enjoying the creative process. This is a commissioned [...]

Read the full article →

Custom Lock Pick Creations: Dual Bogota (3/4) with Custom Cocobolo Handle

02.22.2011

This is the latest pick that I created for a customer.  The handle design is borne of my own imagination, whereas the Bogota pick type is the brain child of Rai.  I am pleased with the finished product, but have learned a thing or two about working with wood on this one: Tread gently with [...]

Read the full article →

← Previous Entries