Server SIDs and cloning.

Lanz

Lanz

Lanz

Soldato
Joined
26 Nov 2002
Posts
6,852
Location
Romford
Am I corrected in saying, that in a domain enviroment, you dont have to sysprep cloned Win2003 VMs for them to work properly?

My vanilla server image is in a workgroup, I then clone it, change it's name and then join the domain. If this all I have to do? Or do I have to faff around with newsid or sysprep?

cheers
 
AFAIK You dont need to sysprep or mess with SIDs. I must admit it has been a long time since I used imaging for rolling out systems so I may be wrong.
 
Cheers, I kinda guessed you didn't, as I've created 6 now and they all joined the domain fine with no error events etc. I was just checking, as I dont want to hand these over to the owners and then have them shouting at me when they dont work.
 
Ahh... no idea about that one then. Not used VS2005 in years. Never had an inbuilt sysprep option as far as I can remember, but then this was before VMM was even released.
 
I'm just presuming it works, as they have joined the domain fine, I can login using a domain account, and WSUS picks them up (this was always flakey with cloned machined)

I'd get errors if the SIDs were the same wouldn't I?
 
Lanz said:
I'm just presuming it works, as they have joined the domain fine, I can login using a domain account, and WSUS picks them up (this was always flakey with cloned machined)

I'd get errors if the SIDs were the same wouldn't I?
Click to expand...


You could always check the sid... i think NEWSID shows you the sid before asking you if you want to change it.
 
If your vanilla image is a workgroup, and you join a domain after starting the cloned machine then the process of name change and joining the domain will change the SID.

Cloning is only a problem if the donor image is already in the domain.

Typically in a Virtual Environment the template is already in the domain so you use sysprep with the template to generate a new SID.
 
mdjmcnally said:
If your vanilla image is a workgroup, and you join a domain after starting the cloned machine then the process of name change and joining the domain will change the SID.
Click to expand...

Since when? Adding a computer to a domain does not change the SID. If you've created you image properly and run a sysprep then it will create a new SID, otherwise it won't.

EDIT: i know there's the MS article that states "Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID" but i've personally seen it cause issue.

EDIT2: although i'll admit i've only seen it that once in probably the several thousand PC/Servers i've set up
 
Last edited:
You need to change the SID, you'll be having duplicate machine SID's and thats bad bad juju.

I've seen it cause a disaster on an SMS rollout. All the machine SID's were the same so SMS thought we had one machine with hundreds of network cards. It tried to then deploy the agent to it, over all of its NIC's and brought the network down.
 
Stolly said:
I've seen it cause a disaster on an SMS rollout. All the machine SID's were the same so SMS thought we had one machine with hundreds of network cards. It tried to then deploy the agent to it, over all of its NIC's and brought the network down.
Click to expand...

Sorry i'm sure it wasn't funny at the time, but crazy things like this always make me chuckle. It's amazing how many ways you can totally take down a network "accidentally"
 
oddjob62 said:
Sorry i'm sure it wasn't funny at the time, but crazy things like this always make me chuckle. It's amazing how many ways you can totally take down a network "accidentally"
Click to expand...

No, it was funny at the time too. We told them about the SID's ages before, they thought they knew best "because its never caused a problem before"

The sight of the terrified network manager running into the room shouting "its all gone red !!!!" will stay with me for ever :)

Well, you can take a horse to water...
 
From wiki

"Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users"

ok, well I ran newsid on all the machines I cloned, and they do have teh same SID still, even after being cloned from a workgroup server, renaming and joining the domain. I guess the Domain SID is somewhere else.

I'll randomly change these SIDs anyway, as it cant do any harm huh.. (or will have I to leave/join the domain again once I do it?)
 
Why don't you have your base image already in a sysprep state, only takes a couple of minutes to bring the machine out of sysprep and your SID problems are taken care of
 
Then its a pain to keep your base image upto date with hotfixes, as everytime you start it, to update it, it'll go through the sysprep process.

What I'll do from now on is just clone the machine, and before I do anything else on it, I'll newsid it. Not that it really matters anyway, as the Domain SID overrides local SID in all things AD wise.

I've found out since asking the initial question here that we have LOTS of servers on in our domain made by previous people to me that have the same SID, and they have been working fine for years.
 
You must log in or register to reply here.
Back
Top Bottom