new Unity Platform Configuration CD - SID issue

Unanswered Question
Oct 25th, 2007

I just made the discovery that the new Unity Platform configuration CDs use ghost to install Windows 2003, and subsequently create the same Security IDs on all systems built using said CDs.

This is not an issue for a stand alone configuration but is an issue if you are building a multi-server AD/Exchange environment as SIDs in a domain must be unique.

I have not found any Cisco Documentation that deal with this issue and this link:

Which covers using the platform config CD does not talk about SIDs.

I have dealt with this by changing the SIDs using a utility but is there an official way to deal with this issue?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tommer Catlin Thu, 10/25/2007 - 08:56

Have you verified the SIDs are the same on each Unity server you install? It should be in the registry.

I thought that after you add a machine to the domain, the DC will change the SID automatically.. no?

Here is a clip from MSFT site.

The SID Duplication Problem

The problem with cloning is that it is only supported by Microsoft in a very limited sense. Microsoft has stated that cloning systems is only supported if it is done before the GUI portion of Windows Setup has been reached. When the install reaches this point the computer is assigned a name and a unique computer SID. If a system is cloned after this step the cloned machines will all have identical computer SIDs. Note that just changing the computer name or adding the computer to a different domain does not change the computer SID. Changing the name or domain only changes the domain SID if the computer was previously associated with a domain.

To understand the problem that cloning can cause, it is first necessary to understand how individual local accounts on a computer are assigned SIDs. The SIDs of local accounts consist of the computer's SID and an appended RID (Relative Identifier). The RID starts at a fixed value, and is increased by one for each account created. This means that the second account on one computer, for example, will be given the same RID as the second account on a clone. The result is that both accounts have the same SID.

Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well.

Another instance where duplicate SIDs can cause problems is where there is removable media formated with NTFS, and local account security attributes are applied to files and directories. If such a media is moved to a different computer that has the same SID, then local accounts that otherwise would not be able to access the files might be able to if their account IDs happened to match those in the security attributes. This is not be possible if computers have different SIDs.

nordendale Thu, 10/25/2007 - 09:25

Yes I have verified that the SIDs are all the same on 4 servers: S-1-5-21-2237029002-336809978-74049757. I only noticed the issue when I created a new AD and tried to add servers to it. I got the message: "The name or security ID (SID) of the domain specified is inconsistent with the trust information for that domain." This lead me to look at the SIDs and that's when I realized what had happened.

The issue is that it the duplicate SIDs are coming from a Platform Config CD.


This Discussion