none
SID Conflict with clone vm's

    Question

  • Scenario to ponder:

    1. happy webserver production vm

    2. sysadmin makes copy of happy webserver production vm

    3. sysadmin creates new vm, for a development environ, using happy webserver production vhd (in hyper-v)

    4. before powering on new dev vm, sysadmin turns off network access

    5. sysadmin powers on new vm, changes IP, changes comp name

    6. checks DNS to verify new registration, enables NIC

    7. sysadmin happy to login into production and development boxes

    8. production vm in dmz, dev vm in local internal network

    9. sysadmin goes to bed

    10. sysadmin wakes up to find this message upon attempted RDP to prod vm:

    • "The security database on the server does not have a computer account for this workstation trust relationship."

    11. happy production webserver vm no longer happy...however it keeps serving out our sites. That is good.

    12. sysadmin able to login to prod vm with local admin account

    13. took new dev vm out of the domain and ran security conf wizard on dev vm in an attempt to resolve the SID issue.

    14. sysadmin powered down the dev vm...stuck...

    15. anyone out there willing to hold my hand on this?

    16. it was so seamless, until I went to bed!

    Friday, April 01, 2011 4:17 PM

Answers

  • When cloning Windows Servers and there is ANY way for them to talk to / see each other over the network the recommendation has always been to run sysprep on the clone - sysprep generates the unique SIDs and GUIDs and forces the rename.

    At the very least you need to use NewSID.

    The second problem comes if sysprep / newsid is not done and the machine is domain joined - then you being borking up AD.  As there are two machines trying to use the same AD machine account.  It is all fine until the password is changed on the account and only one of the two machines knows it.  Then the unknowning machine is slowly denied access across the domain.

    And - i notice that in your instructions - step 5 - is this a manual DNS registration?  beicuase if it is an automatic DNS registration then there should not have been a registration until after step 6 when the NIC is enabled.

    Also - the problem with newsid / sysprep is that it breaks certificates.  it invalidates the private key, thus breaking anything that is installed before sysprep that uses it - sysprep breaking ASP.Net on IIS is a really old symptom.

    IMHO - the absolute best way to prevent these two from seeing each other is to isolate the dev box.  On its own subnet.  If it is development the production and dev should not both be talking to a live backend anyway.

    Simple manual subnet and IP configuration on all users of the dev system solves the problem.  This acheives physical isolation through creation of a differnt IP subnet.  Just don't let the two IIS boxes know about the other subnet.

    Lets see what other folks say as well.

     

     


    Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com
    Friday, April 01, 2011 5:05 PM
    Moderator
  • Hi,

     

    Please check the following blog.

     

    Using Differencing Disk and Sysprep Image to Create Hyper-V Guest on Windows Server 2008 R2 By Dan Stolts

    http://blogs.technet.com/b/danstolts/archive/2011/01/13/using-differencing-disk-and-sysprep-image-to-create-hyper-v-guest-on-windows-server-2008-r2-by-dan-stolts.aspx

     

     

    Best Regards,

    Vincent Hu

     

     

    Sunday, April 03, 2011 4:01 PM
    Moderator

All replies

  • When cloning Windows Servers and there is ANY way for them to talk to / see each other over the network the recommendation has always been to run sysprep on the clone - sysprep generates the unique SIDs and GUIDs and forces the rename.

    At the very least you need to use NewSID.

    The second problem comes if sysprep / newsid is not done and the machine is domain joined - then you being borking up AD.  As there are two machines trying to use the same AD machine account.  It is all fine until the password is changed on the account and only one of the two machines knows it.  Then the unknowning machine is slowly denied access across the domain.

    And - i notice that in your instructions - step 5 - is this a manual DNS registration?  beicuase if it is an automatic DNS registration then there should not have been a registration until after step 6 when the NIC is enabled.

    Also - the problem with newsid / sysprep is that it breaks certificates.  it invalidates the private key, thus breaking anything that is installed before sysprep that uses it - sysprep breaking ASP.Net on IIS is a really old symptom.

    IMHO - the absolute best way to prevent these two from seeing each other is to isolate the dev box.  On its own subnet.  If it is development the production and dev should not both be talking to a live backend anyway.

    Simple manual subnet and IP configuration on all users of the dev system solves the problem.  This acheives physical isolation through creation of a differnt IP subnet.  Just don't let the two IIS boxes know about the other subnet.

    Lets see what other folks say as well.

     

     


    Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com
    Friday, April 01, 2011 5:05 PM
    Moderator
  • Hi,

     

    Please check the following blog.

     

    Using Differencing Disk and Sysprep Image to Create Hyper-V Guest on Windows Server 2008 R2 By Dan Stolts

    http://blogs.technet.com/b/danstolts/archive/2011/01/13/using-differencing-disk-and-sysprep-image-to-create-hyper-v-guest-on-windows-server-2008-r2-by-dan-stolts.aspx

     

     

    Best Regards,

    Vincent Hu

     

     

    Sunday, April 03, 2011 4:01 PM
    Moderator
  • ·         Hi,

     

    Have you tried the suggestion? I want to see if the information provided was helpful. Your feedback is very useful for the further research. Please feel free to let me know if you have addition questions.

     

     

    Best regards,

    Vincent Hu

    Wednesday, April 06, 2011 7:27 AM
    Moderator