What are the implications of duplicate SID's on a Windows Server 2003 network?
March 24, 2009 9:30 AM Subscribe
What are the implications of having duplicate SID numbers on a Windows Server 2003 network?
I have just recently discovered that we have a number of virtual machines running on our network that have duplicate SID numbers, because they were cloned from the same master images which were not prepared with sysprep. Geh. Linux-specialist-coworker-who-also-reads-AskMe, I curse at thee!
There are three "sets" of matched SID's each containing several machines running XP, Server 2003 and Server 2000. Most terrifyingly, the Server 2003 group contains all of our domain controllers. All the images are running on Xen.
Alright, so I gather this is not a great situation. What I would like to do is to just run NewSID on each machine in turn and then do some rolling restarts. However, I'm not sure if there are any further problems that I need to address. So, prevalent questions:
1) What are the implications of having this set up. What are the implications of using NewSID?
2) Will file or system permissions be affected somehow by changing the SID? The Windows 2000 machines are hosting a legacy application that is called by one of our websites. Some of the XP machines are hosting SQL Server 2005 Express instances. The 2003 group machines are all DC's, including all the FSMO roles and global catalog. They are all pretty important machines and need to keep running as normal.
3) How bad is this? Can I afford to space out my changes or is it important that I push to get this done quickly? Since these are production machines, slow and lots of research is my preferred plan when making changes like this.
Thanks, your advice is appreciated.
I have just recently discovered that we have a number of virtual machines running on our network that have duplicate SID numbers, because they were cloned from the same master images which were not prepared with sysprep. Geh. Linux-specialist-coworker-who-also-reads-AskMe, I curse at thee!
There are three "sets" of matched SID's each containing several machines running XP, Server 2003 and Server 2000. Most terrifyingly, the Server 2003 group contains all of our domain controllers. All the images are running on Xen.
Alright, so I gather this is not a great situation. What I would like to do is to just run NewSID on each machine in turn and then do some rolling restarts. However, I'm not sure if there are any further problems that I need to address. So, prevalent questions:
1) What are the implications of having this set up. What are the implications of using NewSID?
2) Will file or system permissions be affected somehow by changing the SID? The Windows 2000 machines are hosting a legacy application that is called by one of our websites. Some of the XP machines are hosting SQL Server 2005 Express instances. The 2003 group machines are all DC's, including all the FSMO roles and global catalog. They are all pretty important machines and need to keep running as normal.
3) How bad is this? Can I afford to space out my changes or is it important that I push to get this done quickly? Since these are production machines, slow and lots of research is my preferred plan when making changes like this.
Thanks, your advice is appreciated.
If these werent domain controllers I would say change the SID and make a new computer account for them in AD, but they are AD. Perhaps the best thing to do would to make new domain controllers, replicate, transfer FMSO roles, and retire/wipe those servers.
How bad is this?
There's a difference between the SID and the domain SID. The domain SID is set by the domain at the time of joining or creating the domain. So it may be that AD ignores the local SID. In that case I would just leave them alone. Although you may want to ask on a windows server specific forum like the MS forums, experts exchange, tektips, etc.
From the wikipedia:
When it comes to "Domain SID", the Domain SID is recomputed each time a computer enters a domain. Thus, all the "post-cloning operations" that are based on "leave the domain and then rejoin the domain" will actually cause a re-creation of the Domain SID for the computer that joins the domain.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems
posted by damn dirty ape at 10:42 AM on March 24, 2009
How bad is this?
There's a difference between the SID and the domain SID. The domain SID is set by the domain at the time of joining or creating the domain. So it may be that AD ignores the local SID. In that case I would just leave them alone. Although you may want to ask on a windows server specific forum like the MS forums, experts exchange, tektips, etc.
From the wikipedia:
When it comes to "Domain SID", the Domain SID is recomputed each time a computer enters a domain. Thus, all the "post-cloning operations" that are based on "leave the domain and then rejoin the domain" will actually cause a re-creation of the Domain SID for the computer that joins the domain.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems
posted by damn dirty ape at 10:42 AM on March 24, 2009
This thread is closed to new comments.
SID on a domain
Highlights some interesting points.
posted by moochoo at 10:33 AM on March 24, 2009