Yes you do need to worry about SIDs when you clone virtual machines – reasserting the ‘myth’

Google_trust

  • This article’s alternative title is “Do not always trust Google, or even those who seem so much smarter than you are – you never know, you may be cleverer than you think!“.

Today I did what a lot of I.T. people have done in the past, and will no doubt do in the future. All I wanted to do was make a ‘test’ Active Directory to do some testing with. I won’t go into all the details, but (suffice to say) I made two copies of my ‘test’ VMWare workstation image (loaded with a blank / vanilla-build installation of Windows 2008 R2)

  • On one of these images, I renamed the server and ran ‘dcpromo’ to make it a domain controller.
  • The intention was to make the second server image a member of that new AD (domain)

Having been in the I.T. business for 20 years I was well aware of the need to change the SID on one of these images (to stop potential problems) so I did a quick Google to remind myself of how to do this. I was surprised to find out that (near the top of Google’s results) was an article (also referred to here and here) written by seriously clever (Microsoft-associated) people telling me that it was no longer necessary to re-SID (a.k.a. ‘NewSID’) Windows 2008 R2 servers (and indeed that it probably was not necessary for many earlier versions of Windows either).

Like many people, I was massively surprised by this. However, I’ve recently found that taking Google’s advice (instead of relying on my gut belief) tends to be correct. Incidentally, similarly I’ve found myself trusting my SatNav more and more – and switching off my personal “I’m sure I know the best route” mechanism), but that’s another story.

  • I therefore decided to take the plunge, and *not* change the SID.

In some ways I was unsurprised to find that my system did not work. The solution? To change the SID of course!

If you’re interested in the full details, read on. If not, I guess it’s a lesson to us all – sometimes do not trust Google!

====================================

Here is the strange thing I saw when trying to add domain users into my ‘administrators’ group (on the second/member server):

Weird things before I changed SID

Weird things before I changed SID

The solution was to run sysprep (for example see instructions here or here). Afterwards, everything looked OK:

after_Sysprep

If you are really interested, then I believe that the answer to all of this is explained by Chris Lowde in his post (5 Nov 2009 8:39 AM) here.

Advertisements

3 thoughts on “Yes you do need to worry about SIDs when you clone virtual machines – reasserting the ‘myth’

  1. From the Russinovich article, specifically addressing your scenario:

    “As I said earlier, there’s one exception to rule, and that’s DCs themselves. Every Domain has a unique Domain SID that’s the machine SID of the system that became the Domain’s first DC, and all machine SIDs for the Domain’s DCs match the Domain SID. So in some sense, that’s a case where machine SIDs do get referenced by other computers. That means that Domain member computers cannot have the same machine SID as that of the DCs and therefore Domain. However, like member computers, each DC also has a computer account in the Domain, and that’s the identity they have when they authenticate to remote systems.”

    Only your DC has to be unique, not your member machines.
    If you sysprepped only your DC VM before promoting it, you could then clone your 2nd VM (unique from the DC) 100 times without sysprep, and join all 100 of those clones to that DC without any SID problems.

    As mentioned in the Russinovich article and comments, there are some applications out there that use the SID as an identity, and these can fail, but Windows itself works fine.

    • You are absolutely correct in everything you say. I (like many people before and after me no doubt) had not read the article carefully enough to spot that.
      Part of the reason behind my post was to (perhaps) help others who had not read the other article carefully, but (perhaps) the main reason was because it was a reminder to myself to not always trust the ‘headlines’ (e.g. titles of the articles) of the results that we read when we all Google 🙂

  2. Pingback: Derrick

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s