The SID Myth

Note: Ignore everything below.  Others have said and I've confirmed first-hand that unique SIDs are required.  You cannot clone machines with the same SID and join them to a domain controller that was also created from the same base clone.  They must be re-SIDed.   Since the NewSID utility isn't officially available or supported anymore, sysprep is required to give it a new SID.

However, there is some truth to the finding about the SIDs.  They aren't as necessary as they were once thought, and for some situations it's ok clone without re-SIDing.  However, to be completely safe, it's best to re-SID each of your new images.

Original blog post follows:

 

Amazing!

Admins, myself included, have worried about the machine SID for years and years.  Way back it was ghosting, now it’s with virtualization.  We made sure to create a new SID after creating servers from server images.

It turns out that this has been a non-issue all of this time, a non-issue that everyone, Microsoft, Mark Russinovich and administrators all over bought into for over a dozen years.

A few weeks back I heard rumor that Mark Russinovich was going to expire NewSID.  I figured it was because there were just too many SID references to keep track of that he wasn’t going to maintain that tool forever.  It turns out that it’s for a completely different reason.

The machine SID does not have to be unique for security reasons, and Microsoft applications don’t depend on it in their usage.  Mark’s blog post here covers all of the details:

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

However, it’s important to note the difference between machine SIDs and domain SIDs.  Additionally the machine name must be different, and the domain controllers themselves can’t have the same SID as any member servers.

I am watching this thread with interest because situations do arise where people run into issues with WSUS and other tools where generating a new SID resolves their issues.  However Mark’s comments suggest that it’s related to the domain SID or the domain controller having the same SID as the members. 

If, after some burn-in time, this is confirmed to be the case, it will save a lot of work that administrators spend considerable time worrying about . . . apparently needlessly.

Read the post, it covers it in great details.

2 Comments

  • I have heard about SID Duplication. Is that what you are talking about. I may have missed something, but aren't you essentially saying that machine SIDs are useless ?

  • Rr4, the SIDs are necessary, but they don't need to be unique between machines as so many people previously thought.

    However, that's not saying that sysprep isn't essential. There is other cleanup that sysprep handles that needs to be performed for many situations.

Comments have been disabled for this content.