Thursday, 6 January 2011

duplicate SID from OS templates during Active Directory creation

I built a new test Forest in my Test Lab, deploying from a template Windows 2003 and 2008 images.

The Forest consisted of a Root and 2 childs, an example:

I had read an article on the myth of changing the SID of a machine when deploying or cloning from a template. The article is here

However when I came to build my first child domain, I had major issues during the DCPROMO process. The Active Directory installation wizard informed me that the specified domain already existed.

Now this was news to me :-) and a quick double take confirmed it indeed did not exist, and then I realised both the root Domain Controller that was already running and this new Child DC were spun from the same template.

I remembered that when you DCPROMO a server the SID for the domain is taken from the first server to be promoted - and there was my issue.

So ensure that you use Newsid (retired now and not supported for Windows 2008 R2 or Windows 7) or ensure you properly sysprep any of your templates in your test or production virtualized environments.

Oliver Moazzezi

MVP - Exchange Server

No comments: