Discussions

5 doman controllers have the same SID

Tags:
+
0 Votes
Locked

5 doman controllers have the same SID

mingram27
Recently at my company we did a migration from NT --> AD 2003 Native at the
forest level. I am not experiencing replication issues. However, the problem
(or is this really a problem) is that all five of my domain controllers have
the same SID!

- what problem could this cause
- how is this possible anyway
- would this require rebuilding all servers

Can someone please explain to me why this is possible, because I am
wondering if I am experiencing issues that I am unaware. Please advise...
  • +
    0 Votes
    Andrew Martin

    Did you ghost the servers?

    When you SYSPREP'd the master box, prior to pulling your master image, did you have Sysprep recreate the SID for the slave images?

    It normally does this during the computer's first boot aftr pushing the image. If you did not have Sysprep do this then you are going to have to get a SID changing utility.

    The safest option is: http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx (This is Mark Russinovic's old Sysinternal.com site ported to MS now that they bought him out.)

    Otherwise learn the mistake for the next time you do this and change the SID through SYSPREP just prior to pulling your master image. Info: http://technet2.microsoft.com/WindowsServer/en/library/ea2bd8a6-6b68-425d-8cf4-ff517a3dae171033.mspx?mfr=true

    This is exhaustive but the only sure way I know how to get this right is to read it through.

    Hope this is of some assistance.

    I generally do not sysprep servers as Domain controllers. I prefer to build promote them myself so that I have an image that can be used for a member server or a domain controller. Much more efficient this way.

    I have never had a server install failt this way either.

    +
    0 Votes
    rkuhn

    Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well.

    Another instance where duplicate SIDs can cause problems is where there is removable media formated with NTFS, and local account security attributes are applied to files and directories. If such a media is moved to a different computer that has the same SID, then local accounts that otherwise would not be able to access the files might be able to if their account IDs happened to match those in the security attributes. This is not be possible if computers have different SIDs.

    +
    0 Votes
    Moktaromarreyani

    i replaced one exchange server to new server with full image of the old server, so when i put the old exchange server back to my network he sizing all the rolls of the running machine why is happeny?

    +
    0 Votes
    TonytheTiger

    all domain controllers in the same domain are supposed to have the same SID! If you'd have checked the SIDs of your NT4 Primary and Backup Domain controllers, you'd have discovered that they also match.

  • +
    0 Votes
    Andrew Martin

    Did you ghost the servers?

    When you SYSPREP'd the master box, prior to pulling your master image, did you have Sysprep recreate the SID for the slave images?

    It normally does this during the computer's first boot aftr pushing the image. If you did not have Sysprep do this then you are going to have to get a SID changing utility.

    The safest option is: http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx (This is Mark Russinovic's old Sysinternal.com site ported to MS now that they bought him out.)

    Otherwise learn the mistake for the next time you do this and change the SID through SYSPREP just prior to pulling your master image. Info: http://technet2.microsoft.com/WindowsServer/en/library/ea2bd8a6-6b68-425d-8cf4-ff517a3dae171033.mspx?mfr=true

    This is exhaustive but the only sure way I know how to get this right is to read it through.

    Hope this is of some assistance.

    I generally do not sysprep servers as Domain controllers. I prefer to build promote them myself so that I have an image that can be used for a member server or a domain controller. Much more efficient this way.

    I have never had a server install failt this way either.

    +
    0 Votes
    rkuhn

    Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well.

    Another instance where duplicate SIDs can cause problems is where there is removable media formated with NTFS, and local account security attributes are applied to files and directories. If such a media is moved to a different computer that has the same SID, then local accounts that otherwise would not be able to access the files might be able to if their account IDs happened to match those in the security attributes. This is not be possible if computers have different SIDs.

    +
    0 Votes
    Moktaromarreyani

    i replaced one exchange server to new server with full image of the old server, so when i put the old exchange server back to my network he sizing all the rolls of the running machine why is happeny?

    +
    0 Votes
    TonytheTiger

    all domain controllers in the same domain are supposed to have the same SID! If you'd have checked the SIDs of your NT4 Primary and Backup Domain controllers, you'd have discovered that they also match.