ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: mirroring setups

1998-08-13 13:27:26
Subject: Re: mirroring setups
From: Peter Thomas <Peter_Thomas AT MANULIFE DOT COM>
Date: Thu, 13 Aug 1998 13:27:26 -0400 
Ben

The only thing to be careful with this approach (which is the similar to
say using GHOST or any of the other image level NT install procedures) is
the Machine's SID.

Quoting from an NT site (WWW.SYSINTERNALS.COM) who have a free tool for
changing the SID after installation

   The problem with cloning is that it is only supported by Microsoft in a
   very limited sense. Microsoft has stated that cloning systems is only
   supported if it is done before the GUI portion of Windows NT Setup has
   been reached. When the NT install reaches this point the computer is
   assigned a name and a unique computer SID. If a system is cloned after
   this step the cloned machines will all have identical computer SIDs.
   Note that just changing the computer name or adding the computer to a
   different domain does not change the computer SID. Changing the name or
   domain only changes the domain SID if the computer was previously
   associated with a domain.

   To understand the problem that cloning can cause, it is first necessary
   to understand how individual local accounts on a computer are assigned
   SIDs. The SIDs of local accounts consist of the computer's SID and an
   appended RID (Relative Identifier). The RID starts at a fixed value, and
   is increased by one for each account created. This means that the second
   account on one computer, for example, will be given the same RID as the
   second account on a clone. The result is that both accounts have the
   same SID.

   Duplicate SIDs aren't an issue in a Domain-based NT environment since
   domain accounts have SID's based on the Domain SID. But, according to
   Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate
   Installed Versions of Windows NT", in a Workgroup environment security
   is based on local account SIDs. Thus, if two computers have users with
   the same SID, the Workgroup will not be able to distinguish between the
   users. All resources, including files and Registry keys, that one user
   has access to, the other will as well.

   Another instance where duplicate SIDs can cause problems is where there
   is removable media formated with NTFS, and local account security
   attributes are applied to files and directories. If such a media is
   moved to a different computer that has the same SID, then local accounts
   that otherwise would not be able to access the files might be able to if
   their account IDs happened to match those in the security attributes.
   This is not be possible if computers have different SIDs.

   An article Mark has written, entitled "NT Rollout Options", will appear
   in the June issue of Windows NT Magazine. It discusses the duplicate SID
   issue in more detail, and presents Microsoft's official stance on
   cloning (please do not ask for preview copies).

Peter
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Looking for tuning refs, Doug Thorneycroft
Next by Date:  Re: Looking for tuning refs, Purdon, James
Previous by Thread:  mirroring setups, Ben Kokenge
Next by Thread:  Re: mirroring setups, Greg Heis
Indexes:  [Date] [Thread] [Top] [All Lists]