Cloned Laptops - LONG domain login
We have 15 identical Dell laptops running Windows XP Pro SP2 with all the updates. I setup the first one exactly the way we want it and then cloned that laptop's hard drive image to all the others.
I joined 5 of the laptops to our Windows Server 2003 domain and found that it takes 10-15 minutes to login when using a domain user account, but logins are fast when logging in locally.
I did some research and learned that identical SIDs on each laptop might be the issue, so I found a utility called NewSID at:
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx
I removed one laptop from the domain and used NewSID to give it a new random SID. I then rejoined it to the domain, rebooted, and it logged in fast!
I thought for sure that I had found the fix, so I removed all the laptops from the domain (including the fixed one for some ridiculous reason), gave them all new random SIDs, and rejoined them to the domain. Much to my dismay, they were all back to the old problem of taking 10-15 minutes to login on any domain user account (even a domain admin).
Any suggestions?
Thanks in advance!
WP
I joined 5 of the laptops to our Windows Server 2003 domain and found that it takes 10-15 minutes to login when using a domain user account, but logins are fast when logging in locally.
I did some research and learned that identical SIDs on each laptop might be the issue, so I found a utility called NewSID at:
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx
I removed one laptop from the domain and used NewSID to give it a new random SID. I then rejoined it to the domain, rebooted, and it logged in fast!
I thought for sure that I had found the fix, so I removed all the laptops from the domain (including the fixed one for some ridiculous reason), gave them all new random SIDs, and rejoined them to the domain. Much to my dismay, they were all back to the old problem of taking 10-15 minutes to login on any domain user account (even a domain admin).
Any suggestions?
Thanks in advance!
WP
Lee W, MVP
With that many laptops, I would suggest you do it through a supported Microsoft method - reinstall ONE system, then run Sysprep when you're ready to image them. This will reset all security information and allow you to properly reconnect them to the domain with no SID issues.
Imaged or cloned computers may take a long time to boot up because it may duplicate the SID of an old computer and put it in Active directory. The metadata of a cloned computers may remain in AD and cause authentication problems.
I believe, removal of that metadata from active directory is much like removing an improperly demoted AD domain controller. The difference is, you can get a list of clients and make sure the SID didn't duplicate.
Let me see if I can find the errors associated with this and put you on track to resolving this issue:
Here is an example of the problems cloned computers can cause:
http://www.wsus.info/forums/index.php?showtopic=9312&pid=34802&mode=threaded&start=
I believe, removal of that metadata from active directory is much like removing an improperly demoted AD domain controller. The difference is, you can get a list of clients and make sure the SID didn't duplicate.
Let me see if I can find the errors associated with this and put you on track to resolving this issue:
Here is an example of the problems cloned computers can cause:
http://www.wsus.info/forums/index.php?showtopic=9312&pid=34802&mode=threaded&start=
LeeW snuck one in there. Sounds like Lee has been there before and has you covered.
Funny thing, I've actually JUST got 5 new IBM PCs to install at a client (new to us, used with preinstalled copies of XP - all imaged). So this was essentially my plan. Install one, sysprep it, image it, be done with it.
Within the article provided above: (Identifying and resolving similar AD SIDs)
http://www.wsus.info/forums/index.php?showtopic=9312&pid=34802&mode=threaded&start=
""Want to figure out which computers have duplicate SIDS?
Use psGetSID from Sysinternals: http://www.microsoft.com/technet/sysintern...s/psgetsid.mspx - You can run this against all computers in your domain to discover who has a duplicate SID.
You should really then run NewSID from Sysinterals on any of the duplicate computers to resolve any potential issues in the future (not to mention the security issues involved with having duplicate SIDS on the network): http://www.microsoft.com/technet/sysintern...ies/newsid.mspx ""
Note: if you have problems with clients not showing up or periodically disappearing in WSUS, you should also refer back to this article.
http://www.wsus.info/forums/index.php?showtopic=9312&pid=34802&mode=threaded&start=
""Want to figure out which computers have duplicate SIDS?
Use psGetSID from Sysinternals: http://www.microsoft.com/technet/sysintern...s/psgetsid.mspx - You can run this against all computers in your domain to discover who has a duplicate SID.
You should really then run NewSID from Sysinterals on any of the duplicate computers to resolve any potential issues in the future (not to mention the security issues involved with having duplicate SIDS on the network): http://www.microsoft.com/technet/sysintern...ies/newsid.mspx ""
Note: if you have problems with clients not showing up or periodically disappearing in WSUS, you should also refer back to this article.
ASKER
Lots of good comments here so far. I'm most attracted to ChiefIT's suggestion because it's the simplest and I'm burnt out at the moment.
One question I have though...Is it definitely safe to run NewSID on a computer that is a member of the domain without also removing it and rejoining it to the domain? Without fully understanding it, I just wonder if it could cause a synchronization issue between active directory and the computer that had its SID changed.
My concern may be silly, but I figured it's worth asking.
Thanks,
WP
One question I have though...Is it definitely safe to run NewSID on a computer that is a member of the domain without also removing it and rejoining it to the domain? Without fully understanding it, I just wonder if it could cause a synchronization issue between active directory and the computer that had its SID changed.
My concern may be silly, but I figured it's worth asking.
Thanks,
WP
You should remove it from the domain, run newSID, then rejoin it.
It's important to note that NewSID is not a supported method.
You have me scratching my head on that one: (GOOD question)
This is a good question how the client synch's to the server. I would imagine requesting a new SID would also reflect the change on the DC.
This is a good question how the client synch's to the server. I would imagine requesting a new SID would also reflect the change on the DC.
Oh, thanks Lee and Steezy: (Guess they answered that question)
silly one.. but double check that the DNS server of the pc's is the dc running DNS.. and not external web dns.
is sysprep a better method then newsid?
Tks
Tks
what software did you use to image the computers with? If you used ghost you can use their GhWalk.exe that comes with it. First remove the pcs from the domain then reboot pc and run ghwalk.exe from dos boot disk and follow the instructions.
I see in the original request for comments that you demoted the laptops to a workgroup, requested a new SID, and joined the domain again. So, the SIDS may be in order on the machines.
If the program NewSID doesn't synch with the DC, I would think the SIDs may have metadata on the DC. So, instead of having a single, unique, SID per device, you may now have two SIDs per machine.
LeeW pointed out that "NewSID" is not a supported application. Maybe Lee has some good advice on straightening out the SID problem.
Also, since you already requested a New SID and rejoined the domain, maybe the scope of our troubleshooting isn't broad enough. Maybe it is a DNS problem as smckellar83 pointed out. Since, these laptops are having the problems, maybe flushing and reregistering its DNS will bring it back.
In either case, It looks like you might have metadata on the DC that needs to be discarded.
If the program NewSID doesn't synch with the DC, I would think the SIDs may have metadata on the DC. So, instead of having a single, unique, SID per device, you may now have two SIDs per machine.
LeeW pointed out that "NewSID" is not a supported application. Maybe Lee has some good advice on straightening out the SID problem.
Also, since you already requested a New SID and rejoined the domain, maybe the scope of our troubleshooting isn't broad enough. Maybe it is a DNS problem as smckellar83 pointed out. Since, these laptops are having the problems, maybe flushing and reregistering its DNS will bring it back.
In either case, It looks like you might have metadata on the DC that needs to be discarded.
ASKER
Thanks for all the comments!
I tried flushing and re-registering the DNS on one of the laptops, but the problem is still present.
I am now proceeding to try out psGetSID to search for dupliate SIDs in the domain, as well as looking into cleaning out bad metadata. I will post back later with the results.
Thanks,
WP
I tried flushing and re-registering the DNS on one of the laptops, but the problem is still present.
I am now proceeding to try out psGetSID to search for dupliate SIDs in the domain, as well as looking into cleaning out bad metadata. I will post back later with the results.
Thanks,
WP
just to clarify:
Metadata, meaning old DNS records and duplicate GUIDs in AD. Since you have created a new SID and rejoined the domain, you might have two GUIDs in AD.
Metadata, meaning old DNS records and duplicate GUIDs in AD. Since you have created a new SID and rejoined the domain, you might have two GUIDs in AD.
ASKER
Well everybody, I greatly appreciate all the comments and participation. After endlessly trying to track this problem down (always in the wrong place), I decided to reload everything fresh on one of the laptops over the weekend. When I was done, to my astonishment, the problem was still there!
This led me to broaden my perspective for possible causes. It turns out that an Internet filtering application I installed was blocking far more than its fair share of network communications during the login process. ContentProtect Professional from ContentWatch was the culprit.
http://www.contentwatch.com/products/contentprotect_pro
Once I uninstalled it, everything cleared up and logins are as fast as they should be. I will be contacting ContentWatch to either get the issue resolved or try for a refund.
I apologize that I was unable to provide the appropriate information in my question and followup comments to potentially lead us to the solution.
Thanks again everybody!
WP
This led me to broaden my perspective for possible causes. It turns out that an Internet filtering application I installed was blocking far more than its fair share of network communications during the login process. ContentProtect Professional from ContentWatch was the culprit.
http://www.contentwatch.com/products/contentprotect_pro
Once I uninstalled it, everything cleared up and logins are as fast as they should be. I will be contacting ContentWatch to either get the issue resolved or try for a refund.
I apologize that I was unable to provide the appropriate information in my question and followup comments to potentially lead us to the solution.
Thanks again everybody!
WP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.