ADSM-L

Re: mirroring setups

1998-08-13 08:44:00
Subject: Re: mirroring setups
From: Peter Thomas <Peter_Thomas AT MANULIFE DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU <ADSM-L AT VM.MARIST DOT EDU>
Date: Thursday, August 13, 1998 12:44 PM
>Ben
>
>The only thing to be careful with this approach (which is the similar to
>say using GHOST or any of the other image level NT install procedures) is
>the Machine's SID.
>
>Quoting from an NT site (WWW.SYSINTERNALS.COM) who have a free tool for
>changing the SID after installation
>
>   The problem with cloning is that it is only supported by Microsoft in a
>   very limited sense. Microsoft has stated that cloning systems is only
>   supported if it is done before the GUI portion of Windows NT Setup has
>   been reached. When the NT install reaches this point the computer is
>   assigned a name and a unique computer SID. If a system is cloned after
>   this step the cloned machines will all have identical computer SIDs.
>   Note that just changing the computer name or adding the computer to a
>   different domain does not change the computer SID. Changing the name or
>   domain only changes the domain SID if the computer was previously
>   associated with a domain.
>
>   To understand the problem that cloning can cause, it is first necessary
>   to understand how individual local accounts on a computer are assigned
>   SIDs. The SIDs of local accounts consist of the computer's SID and an
>   appended RID (Relative Identifier). The RID starts at a fixed value, and
>   is increased by one for each account created. This means that the second
>   account on one computer, for example, will be given the same RID as the
>   second account on a clone. The result is that both accounts have the
>   same SID.
>
>   Duplicate SIDs aren't an issue in a Domain-based NT environment since
>   domain accounts have SID's based on the Domain SID. But, according to
>   Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate
>   Installed Versions of Windows NT", in a Workgroup environment security
>   is based on local account SIDs. Thus, if two computers have users with
>   the same SID, the Workgroup will not be able to distinguish between the
>   users. All resources, including files and Registry keys, that one user
>   has access to, the other will as well.
>
>   Another instance where duplicate SIDs can cause problems is where there
>   is removable media formated with NTFS, and local account security
>   attributes are applied to files and directories. If such a media is
>   moved to a different computer that has the same SID, then local accounts
>   that otherwise would not be able to access the files might be able to if
>   their account IDs happened to match those in the security attributes.
>   This is not be possible if computers have different SIDs.
>
>   An article Mark has written, entitled "NT Rollout Options", will appear
>   in the June issue of Windows NT Magazine. It discusses the duplicate SID
>   issue in more detail, and presents Microsoft's official stance on
>   cloning (please do not ask for preview copies).
>
>Peter
>
<Prev in Thread] Current Thread [Next in Thread>