Friday, March 4, 2011

SID duplication doesn't matter?!

I have just come across a technet blog declaring that SID duplication doesn't matter, especially in a domain environment where Domain SID instead of machine SID is used. Domain SID is re-generated whenever a computer leave and re-join a domain, which is typical for disk imaging purposes. For years, we were taught to use sysprep or newsid to regenerate new SID for every cloned image.

"I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that - with one exception - Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID."

Nevertheless, the blog concluded that sysprep is still necessary for Microsoft's support:

"Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep"

I would take this with a pinch of salt, as I did experience strange problems in the past for having duplicated SIDs. Or rather, I would interpret the statement this way - even though SID duplication per-se may not cause problems, unpredictable outcomes may still occur, as other machine-specific states are not reset. SID duplication is an indicator of such happening.

No comments:

Post a Comment