Re: Three VMs with same SID, what to do?

HendersonD · ‎05-21-2010

I deployed three Win2008 R2 VMs from the same template and made the mistake of not using customization to change the SID. I have verified using PsGetsid that all three have the same SID. These three VMs are my domain controllers/DNS/DHCP. I found this article on how to use sysprep to change SIDs on a Windows 2008 R2 server:

http://tiny.cc/c57y3

Two questions:

1. Am I going to run into problems in having all three of my DCs/DNS/DHCP servers with the same SID?

2. Can I use the method shown in the above article to change the SID on two of these servers? One of these DCs hold all the roles so I would change it on the other two. I am gun shy about messing around with these machines considering their importance

ab_lal · ‎05-21-2010

If you have Vmware vCenter Converter then try the option "Configure Machine" (Make sure the VM is powered off)

Go through the normal steps...

In Advanced options

Select Guest preferences for the virtual machine

Click next

Select generate new SID.

Once this convertion is completed. powere on the server and it should run the sysprep automatically.

HendersonD · ‎05-21-2010

The big question becomes, will this work fine on a DC/DNS/DHCP server without causing problems. I am debating whether to open a ticket with either VMWare or Microsoft on this issue and see what they say.

This blog argues that changing the SID is not even necessary:

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Of course, many people who chimed in on this blog disagreed

ab_lal · ‎05-21-2010

It works for us.

Shawn84 · ‎05-21-2010

Here's an article tell you how to change SID for Windows 2008 R2.

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-...

For windows 2008, you can use free tool NewSID

HendersonD · ‎05-21-2010

NewSID will not work on 2008 R2.

Shawn84 · ‎05-21-2010

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-...

Here's the beginning of this article

In last post I described how to check SID on Windows 7 and Windows Server 2008 R2, today I’ll describe you how to change SID on Windows Server 2008 R2 and Windows 7 using sysprep. I see many of you are looking how to change SID using NewSID, but New SID is not officially supported by Microsoft. You could use NewSID on Windows Server 2008, but when you try to use it on Windows Server 2008 R2 it won’t work, actually, it will “destroy” operating system. I didn’t test it on Windows 7, but still my advice is to use sysprep. Changing SID using sysprep is also very simple, just follow few steps as described below…

I tested sysprep on Windows Server 2008 R2 Datacenter edition, but same steps apply for Windows7 also.

...................

Good Luck

joshp · ‎05-21-2010

Issues with SID duplication is a myth. Mark Russinovich (the maker of famous newsid utility) and Microsoft technical fellow has debunked the myth of duplicate SIDS. As a result Microsoft has removed the newsid utility from the sysinternals toolset.

Explained in detail here:

You will not have a problem.

VCP 3, 4

VCP 3, 4 www.vstable.com

ab_lal · ‎05-28-2010

Hey Shawn - thanks for the documentation

HendersonD · ‎05-28-2010

When I brought up my three DCs I used the same Win2008 R2 template that had not been syspreped and I did not use customizations during deployment to change the sid. I have read the article about the myth of sid duplication but did run into two issues I wanted to point out.

1. With Win2008 R2 DCs, there is a nice feature called Active Directory Best Practices Analyzer. When I ran it, this message came up:

The Active Directory Domain Services (AD DS) server role on the domain controller WinDC01.VCS.local is installed on a virtual machine

It then refers me to this KB article:

http://technet.microsoft.com/en-us/library/dd723681%28WS.10%29.aspx

This knowledge base article lists 8 different things that a VM should comply with in order for best practice as a domain controller. After reading

this article, the only one that caught my eye was the one about using sysprep.

2. Using sysprep changes the sid but it apparently does other things as well. In fact, my guess is that changing the sid is the least important thing that sysprep does. We are using KMS activatioin in our domain. My first DC is my KMS host so it gets activated by talking to Microsoft directly. My other two DCs will not activate because they have the same CMID. This blog explains it all:

I will be going back and sysprepping my Win2008 R2 template, bringing up two more servers based on this template, and doing the necessary work to turn these into DC/DNS/DHCP servers and retiring the other ones

I think the bottom line is, having duplicate SIDs on a machine is not a problem but in my case not using sysprep to prepare these servers is causing issues. Sysprep will change the SID but will also do away with the problems I described above.

pvpramodreddy · ‎10-10-2017

Hello All,

I know this is an old post. However I just want to clarify for anyone who requires clarification on SIDs in future.

Having the same SID for multiple VMs will create issues. I am saying this from experience and below are some examples.

1. There will be backup issues if backup are configured at VM level as the VMTools service on the cloned VMs will stop responding as it conflicts with the original VM SID.

2. If you keep them on same network and AD, cloned VMs will replace the original in the AD server list causing you ample issues.

3. VM Tools service on cloned VMs keeps going into Not responding state and this might impact any other application basing on this services.

If anyone says same SID issues are a myth. They might not have worked at all on this scenario. Hope this helps.

Pramod