Sunday, March 1, 2015

Windows Machine SIDS DO MATTER!!!

As you may already know, the tool NewSID was retired some time ago because there appeared to be a "myth" that Machine SIDs matter and this no longer matters with more recent releases of Windows.

Sadly, this is not a "myth" at all and for those who think otherwise are greatly mistaken as is evidenced by the Windows OS itself!!!

I heavily use VMWare Virtual Machines for my development and therefore copying and pasting VMs over and over again is a common operation I perform frequently.

As you can probably guess, copying and pasting the same VM over and over again retains the original SID of the VM if you have not performed sysprep on the machine prior to creating the template VM. 

You can verify this for yourself by running the PsGetSid Utility that is part of the SysInternals Suite: https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

In any case, I attempted to create one machine as a domain controller and a subsequent VM as a member server.  When I then attempted to join the member server to the domain, I received the following error message:


If you read the article which the link points to: http://support.microsoft.com/kb/816099, even though it refers to Windows Server 2003, it definitely indicates that duplicate SIDs cause problems particularly with Active Directory.  Since I was using Windows Server 2012 R2 on both VMs, I assume that this issue still persists even in the latest version of the Windows OS. 

The simple solution to this problem, of course, is simply to run sysprep on the machine (which can be found at C:\Windows\system32\Sysprep\sysprep.exe). 

When you run sysprep, you will want to choose the Generalize option:


Choosing this option will generate a new SID for the machine as well as remove any Windows-specific settings such as Windows Activation status.  Therefore, after running sysprep, you will once again have to activate the virtual machine.

Once the machine has been assigned a new SID, you can successfully add the server as a member server to your Active Directory domain!




No comments:

Post a Comment