Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Windows Microsoft Software IT

The Machine SID Duplication Myth 201

Posted by kdawson from the no-harm-in-seeing-double dept.
toppings writes "Microsoft Technical fellow Mark Russinovich explains why he is now retiring NewSID, which has been used by IT departments for years when deploying Windows to new systems from customized clone images. Russinovich writes: 'The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn't fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication — having multiple computers with the same machine SID — doesn't pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.' He concludes: 'It's a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there's no reason to miss it now that it's retired. Microsoft's official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation.'"
This discussion has been archived. No new comments can be posted.

The Machine SID Duplication Myth More

The Machine SID Duplication Myth

Comments Filter:

  • Well... it WAS a problem... (Score:2, Insightful)

    by flydpnkrtn ( 114575 ) on Tuesday November 03, 2009 @10:27PM (#29972624)
    I know for a fact that WSUS (Windows Server Update Services... basically a centralized patch server) would do "weird, interesting" things when two machines tried to check into WSUS with the same SID. Not sure if they've resolved the problem in later versions of WSUS...see this thread for an example: http://www.neowin.net/forum/lofiversion/index.php/t343182.html [neowin.net]

    I thought that the problem was defined as being based around locking a specific machine down with Group Policy... when two machines have the same SID, AD had a hard time distinguishing them for security reasons, much as if two users' SIDs collided...

    But who am I to question the great creator of psexec and psinfo, Lord Russinovich :-)

  • Go Figure (Score:5, Insightful)

    by Anonymous Coward on Tuesday November 03, 2009 @10:29PM (#29972640)

    This is coming from the same company that billed my employer to the tune of $250,000 USD in order to create a utility that would move a user profile from the old location to the new one after the user account had been moved to a new NT domain.

    And then we found the moveuser.exe utility on the server resource kit and asked them what the $250,000 was for. Not that anyone who pays two hundred and fifty thousand dollars for a few lines of vbscript is smart (the phbs wanted something bonafide), but I'm just sayin'...

  • 42 (Score:2, Insightful)

    by Anonymous Coward on Tuesday November 03, 2009 @10:31PM (#29972650)

    So if SIDs are mostly irrelevant, why bother with them at all? Why not just always have them the same number (e.g., 42)?

  • It is no myth (Score:3, Insightful)

    by blake1 ( 1148613 ) on Tuesday November 03, 2009 @10:53PM (#29972806)
    Speaking from experience, having two machines with the same SID on a single Domain you will have issues related to the computer account in Active Directory. Remove one of these computers from the Domain and the others will experience Netlogon errors and various other issues as a result. Although NewSID may no longer be relevant due to lack of Vista/2008/7/2008R2 support, you should always sysprep /generalize to prevent these issues from occuring. Not too sure why an MS blogger would have this stance, I've seen it numerous times (10+) with my own eyes. The fix is to either perform an offline workgroup join and generate new SID's on all but 1 affected machine, or to remove machines, NewSID all but one, and rejoin the Domain.

  • In other words... (Score:5, Insightful)

    by jkrise ( 535370 ) on Tuesday November 03, 2009 @10:59PM (#29972850) Journal

    Microsoft is now my employer, and I have no reason to cater to the needs of the user community anymore.

  • Great. (Score:5, Insightful)

    by Wumpus ( 9548 ) <[IAmWumpus] [at] [gmail.com]> on Tuesday November 03, 2009 @11:39PM (#29973124)

    Doesn't it bother anyone else that even Microsoft doesn't have a clue how the OS they developed works anymore? That something like this is even an issue?

  • Re:Great. (Score:1, Insightful)

    by Anonymous Coward on Tuesday November 03, 2009 @11:56PM (#29973246)
    No, not at all. Despite the Borg icon, employees of Microsoft do not share a collective mind. Different people understand different parts of the system; nobody or almost nobody understands it all. Every large company is the same way.

  • Re:Great. (Score:5, Insightful)

    by Wumpus ( 9548 ) <[IAmWumpus] [at] [gmail.com]> on Wednesday November 04, 2009 @12:23AM (#29973422)

    But not every product is equally complex. I can't think of a feature that's critical to the proper basic administration of a Unix network that's equally poorly understood, to the point that it's considered news when someone figures it out after 10 years.

    The feeling I often get when developing for Microsoft's platform is that it is gratuitously complex. Complex APIs are routinely replaced with new, more complex ones. API calls that take a dozen or so arguments, with some of them pointing to structures containing dozens of members, return error codes that complain of a bad argument - good luck finding out which one of the 30 or so the system found to be offensive. Bugs go unfixed for years. It's all rather unpleasant, really.

  • Re:Duplicate UIDs (Score:4, Insightful)

    by RAMMS+EIN ( 578166 ) on Wednesday November 04, 2009 @12:36AM (#29973498) Homepage Journal

    The "subtlety" here is that Windows is extremely complex. I don't think anybody knows exactly how it works. Given that, it is hard to determine conclusively whether something can cause problems or not. Without that knowledge, it is best to err on the safe side.

  • I'll miss NewSID (Score:5, Insightful)

    by Darkon ( 206829 ) on Wednesday November 04, 2009 @06:37AM (#29975938)

    Not that I ever used it to generate a completely new SID, but what I did find it invaluable for was to set a machine's SID back to its old value after a re-install. This did away with the need to change the ownership on all of the user's files still on the hard drive and meant that most of the time their user profile would just keep on working as if nothing had changed.

  • Re:Ignorant and inconsiderate (Score:3, Insightful)

    by DrXym ( 126579 ) on Wednesday November 04, 2009 @11:09AM (#29978392)
    I think you would be hard pushed to find any OS which tried to maintain the level of backwards binary compatibility as Windows has traditionally provided. Sure some things break from release to release, but generally the majority works extremely well. Given the hideous complexity of Windows this is nothing short of a minor miracle.

Slashdot Top Deals

"Ninety percent of baseball is half mental." -- Yogi Berra

Close