[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

SID duplicated mystery on a host but not created from an image file ?!?

Posted on 2010-08-15
15
Medium Priority
?
884 Views
Last Modified: 2012-05-10
As you maybe know, when more than one server are using the same SID it can keep from sending emails from OWA (Exchange 2010)
http://www.petrikb.com/email-stuck-in-drafts-folder.htm

This is exactly what we've been living with recently.  Both DCs (VM) we using the same SID.  But each Exchange server had a unique SID.  

So I demoted a DC.  Then a new VM has been created.  This time Windows 2008 R2 has been installed from the CD, no image, no sysprep, nothing.  I ran DCPROMO.  

But the new server has the same SID !    How come ?  It has a different name, it comes from a fresh Windows installation.  I don<t get it but maybe someone knows ?

However, Exchange is no longer preventing the emails to to be sent out.  

Thank you
0
Comment
Question by:quadrumane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 3

Assisted Solution

by:elpw
elpw earned 200 total points
ID: 33442423
Dupilicate SID's occur when cloning workstations and servers.  You should use a SID Changer whenever initializing a new workstation/server from a clone.  NewSID.exe (can search and dowload free from internet) is an application can be used to change the SID on such clones.  In the future you should consider using Sysprep which automatically generates a new SID.
0
 

Author Comment

by:quadrumane
ID: 33442443
Thanks

But as I said, the new server has not been created from an image or from a cloned vm.  So it shouldn't have the same SID.
0
 
LVL 12

Accepted Solution

by:
geowrian earned 1800 total points
ID: 33442473
Actually, that information is outdated and no longer correct. NewSID has been retired as it is not necessary. Duplicate machine SIDs should not cause problems. The NewSID program, as well as many other SID changers, have many various issues on Windows Vista, Windows 7, and Server 2008. Read the article here:
http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

The issue is caused by cloning a PC already on the domain. This creates duplicate domain SIDs, which will have many various problems. It is highly recommended to remove the PC from the domain and then use sysprep prior to imaging a system.

As for the duplicate SIDs you are seeing on the DCs, are you referring to the domain SID or the machine SID? The local SID on the DCs should be the same, while the domain SID should be the same as the local SID except for the very end of it which should be unique on the domain (similar to having how RIDs). See here:
http://www.excaliburtech.net/archives/117
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:quadrumane
ID: 33442483
All servers with the same SID but one have been completely removed.  But I had to keep one (a DC)  Maybe this server is assigning the same SID to all new DCs although the new DC  has not been created from an image.  
0
 
LVL 12

Assisted Solution

by:geowrian
geowrian earned 1800 total points
ID: 33442491
To restate my above comment:
As part of promoting a PC to a DC, it will change the local SID to match all the other DC's local SID. It should also create a domain SID that is the same as the local SID except with another part appended to it, which should be unique. Having duplicate machine SIDs for all the DCs is normal. Just make sure the domain SIDs are unique.
0
 

Author Comment

by:quadrumane
ID: 33442509
Here is what I got:

The new server (Windows 2008 R2 has been installed, not from an image)
SID for \\S1-DC-002:
S-1-5-21-1977992388-383641019-900119157

the old server (this one has been created from a clone)
SID for \\S2008DC01:
S-1-5-21-1977992388-383641019-900119157

It looks like it is the local SID
0
 
LVL 12

Assisted Solution

by:geowrian
geowrian earned 1800 total points
ID: 33442523
Using psgetsid.exe I'm assuming. I just did the same on my DCs and got the same type of results. All DCs were created from scratch. This is normal.

You can check the domain SID in the attributes of the computer via LDAP tools or Active Direttory Users and Groups.
0
 

Author Comment

by:quadrumane
ID: 33442528
but in the attribute in object editor the same is almost the same except for the last 4 digits

S-1-5-21-1977992388-383641019-900119157-1000

S-1-5-21-1977992388-383641019-900119157-1256
0
 
LVL 12

Expert Comment

by:geowrian
ID: 33442540
That's good & completely normal. That is what you should be what you are seeing.
0
 
LVL 12

Expert Comment

by:geowrian
ID: 33442544
Wow - I need to slow down my typing! I meant to say:

That's good & completely normal. That is what you should be seeing.
0
 

Author Comment

by:quadrumane
ID: 33442553
Ok I now understand.  I didn't check the local SID before promoting the new server.  So now it has the same local SID but it's normal.

Correct me if I'm wrong
0
 
LVL 12

Expert Comment

by:geowrian
ID: 33442556
That is correct.
0
 

Author Comment

by:quadrumane
ID: 33442557
And me I should refresh my browser ;-)  Ok so all is said, all is normal, all is good

Thank you very much !
0
 
LVL 3

Expert Comment

by:elpw
ID: 33442752
geowrian:  Thanks for the info... shows how long it's been since I've ran into this problem.  It has long been common practice not to clone Windows installed drives; as mentioned, a number of years since I've seen the problem.
0
 
LVL 12

Expert Comment

by:geowrian
ID: 33442893
No problem. I have been following Mark's website and blog for years, so I am aware of why he made the tool. I was also surprised by his findings as changing the SID was common practice. I also assumed it was necessary like nearly everybody else.

Another department at my employment also encountered a number of the SID change issues on Windows 7 computers that were being imaged, so some good reading and good communication saved everybody a lot of headaches.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question