Weird things before I changed SID - essentially I could not add users into groups

Yes you do need to worry about SIDs when you clone virtual machines – reasserting the ‘myth’

Google_trust

  • This article’s alternative title is “Do not always trust Google, or even those who seem so much smarter than you are – you never know, you may be cleverer than you think!“.

Today I did what a lot of I.T. people have done in the past, and will no doubt do in the future. All I wanted to do was make a ‘test’ Active Directory to do some testing with. I won’t go into all the details, but (suffice to say) I made two copies of my ‘test’ VMWare workstation image (loaded with a blank / vanilla-build installation of Windows 2008 R2)

  • On one of these images, I renamed the server and ran ‘dcpromo’ to make it a domain controller.
  • The intention was to make the second server image a member of that new AD (domain)

Having been in the I.T. business for 20 years I was well aware of the need to change the SID on one of these images (to stop potential problems) so I did a quick Google to remind myself of how to do this. I was surprised to find out that (near the top of Google’s results) was an article (also referred to here and here) written by seriously clever (Microsoft-associated) people telling me that it was no longer necessary to re-SID (a.k.a. ‘NewSID’) Windows 2008 R2 servers (and indeed that it probably was not necessary for many earlier versions of Windows either).

Like many people, I was massively surprised by this. However, I’ve recently found that taking Google’s advice (instead of relying on my gut belief) tends to be correct. Incidentally, similarly I’ve found myself trusting my SatNav more and more – and switching off my personal “I’m sure I know the best route” mechanism), but that’s another story.

  • I therefore decided to take the plunge, and *not* change the SID.

In some ways I was unsurprised to find that my system did not work. The solution? To change the SID of course!

If you’re interested in the full details, read on. If not, I guess it’s a lesson to us all – sometimes do not trust Google!

====================================

Here is the strange thing I saw when trying to add domain users into my ‘administrators’ group (on the second/member server):

Weird things before I changed SID

Weird things before I changed SID

The solution was to run sysprep (for example see instructions here or here). Afterwards, everything looked OK:

after_Sysprep

If you are really interested, then I believe that the answer to all of this is explained by Chris Lowde in his post (5 Nov 2009 8:39 AM) here.