You’ve seen the infomercials where they tout some kitchen product as the silver bullet, right? You know…it slices, dices, and even makes Julienne fries! It’s the catch-all device that can pretty much do just about anything – even help with the kids calculus homework. Well, I think Active Directory should have its own infomercial because it truly can do just about anything (I’m starting to think it may even make Julienne fries)!
Many of you have probably heard by now that NewSID is dead(if you have it, it still works on pre-Win7 OSes of course). In Mark Russinovich’s blog post, he explains why the tool has been deprecated and the misperception that has long existed with SID duplication. Listen, I am in no position to question Mark and that’s not what I am doing here but I do want to echo one point that he makes from his article that does impact me as a directory services admin.
Every Domain has a unique Domain SID that’s taken from the machine SID of the first Domain Controller of the Domain, and all machine SIDs for the Domain’s DCs match the Domain SID. So in some sense, that’s a case where machine SIDs do get referenced by other computers. That means that Domain member computers cannot have the same machine SID as that of the DCs and therefore Domain.
Most of my testing is with domain controllers and I like to have a fully patched, fully activated parent disk that I can use to create differencing disks from in Virtual PC. I would create virtual machines for each of my soon-to-be DCs from the differencing disks and then run NewSID to get a unique SID on each of the machines. Once the machines had unique SIDs, I would start promoting them as domain controllers into my forest and from there I could test whatever it is that I was after. The advantage of not doing Sysprep is that I didn’t have to run through all of the mini-setup or reactivate the machine (which I can obviously see why MS wouldn’t like that). That’s nice because when you are trying to validate something for a customer, you want as few delays as possible.
As Mark mentions, the machine SID from the first DC in the domain is used as the SID of the domain. You are able to join machines to the domain with the same SID as the domain but you are not able to log in from those machines. If you try, you will be faced with this prompt:
Bummer!
With NewSID dead, you’re going to have to Sysprep to get the new SID you need. Or….you can use Active Directory!
WARNING: I’ll just stop and warn you that this is a kind of silly use of Active Directory but it’s pretty interesting all the same.
Instead of joining that server to the domain to become a member server, first promote it from a workgroup machine to a domain controller. When you do that (assuming it’s a replica DC), the machines current SID (the one that matches the domain) will be discarded and it will take on the SID of the domain (which in this case will be the same anyway). Now, demote the domain controller to a regular member server and guess what? You’ll have a brand new SID! Now you can log on to the domain with your domain-joined member server.
Oh Active Directory, is there anything that you can’t do?
CAUTION: I don’t have to say it right? This is probably something that you don’t want to do in production unless you are very comfortable with the behavior.
In a future post, we’re going to talk more about SIDs on domain controllers and the varying behavior.