Joining imaged workstations with dup SIDs to AD. Effects?

I have this issue where workstations appear to not be properly joined to the
domain. They were at some point working but eventually they stopped running
logon scripts or cannot map shares. That is because we replaced domain
controllers and file servers which at that point they cannot access the
shares so they cannot map drives, run logon scripts or get GPOs. Rejoining
them to the domain fixes the issue but need to find the root cause. So far
the only thing I have found in common is that they all have the same SIDs
from the image when they were put in place. So my question is what is the
known affects of joining workstations to AD that have been imaged but not
syspreped or newsid ran on them? Thanks.

"Rich" <spam@nospam.com> ha scritto nel messaggio
news:F91ED391-B5A6-44E3-AA9C-07324485B42C@microsoft.com...

> So my question is what is the known affects of joining
> workstations to AD that have been imaged but not syspreped or newsid ran
> on them?

The effect is exactly the one you're experiencing: they won't work properly.

Short-term solution: run SYSPREP on them and re-join them to the domain.
Long-term solution: run SYSPREP *before* taking the image, so they're ready
to be used as soon as they restart.


Massimo

Rich,

Rich wrote:
> root cause. So far the only thing I have found in common is that they
> all have the same SIDs from the image when they were put in place. So
> my question is what is the known affects of joining workstations to AD
> that have been imaged but not syspreped or newsid ran on them? Thanks.

Those are the things. It can range from non-mapped drives to denied
access to file services and Group Policies not being applied correctly.
I've seen various issues like these.

As Massimo suggested, use Sysprep before imaging them or use another
deployment facility (RIS/WDS).

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Hello Rich,

You see some of the effects. And the only solution is to sysprep them and
rejoin to the domain. Then create an installation master image and shut it
down with sysprep for future machines.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have this issue where workstations appear to not be properly joined
> to the domain. They were at some point working but eventually they
> stopped running logon scripts or cannot map shares. That is because we
> replaced domain controllers and file servers which at that point they
> cannot access the shares so they cannot map drives, run logon scripts
> or get GPOs. Rejoining them to the domain fixes the issue but need to
> find the root cause. So far the only thing I have found in common is
> that they all have the same SIDs from the image when they were put in
> place. So my question is what is the known affects of joining
> workstations to AD that have been imaged but not syspreped or newsid
> ran on them? Thanks.
>

Machines with duplicate sid's in a domain environment (on most machines)
won't create an issue, but I would suggest you run sysprep or in the current
predicament you are in I would run newsid on the existing machines.
Duplicate sid's in a workgroup environment will create problems since the
domain part of the sid doesn't exist and security is messed up. Read the
link below to get complete details and to download the executable.

In the future I would suggest you building a sysprep image

http://technet.microsoft.com/en-us/s.../bb897418.aspx

The loss of access to the shares is probably related to workgroup style
connections. It sounds like you have found the solution, so you should roll
with it.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Rich" <spam@nospam.com> wrote in message
news:F91ED391-B5A6-44E3-AA9C-07324485B42C@microsoft.com...
>I have this issue where workstations appear to not be properly joined to
>the domain. They were at some point working but eventually they stopped
>running logon scripts or cannot map shares. That is because we replaced
>domain controllers and file servers which at that point they cannot access
>the shares so they cannot map drives, run logon scripts or get GPOs.
>Rejoining them to the domain fixes the issue but need to find the root
>cause. So far the only thing I have found in common is that they all have
>the same SIDs from the image when they were put in place. So my question
>is what is the known affects of joining workstations to AD that have been
>imaged but not syspreped or newsid ran on them? Thanks.

Thanks all. I did find that article saying that SIDs should not affect
domain joined computers but I wanted to see what everyones exeperiences were
and if that was really the case. I did find a KB also that states it will
cause issues with WSUS depending on what the image contains for the SUS Sid.
The 2nd part of my problem is that I am not part of the team that supports
workstations so before I bust in on them and tell them how to do their
imaging I need something hard and solid to prove that duplicate SIDs are a
problem.

"Paul Bergson" <pbbergs@nospam_msn.com> wrote in message
news:32A932D1-12BA-4DD9-8123-5EF25F6E329C@microsoft.com...
> Machines with duplicate sid's in a domain environment (on most machines)
> won't create an issue, but I would suggest you run sysprep or in the
> current predicament you are in I would run newsid on the existing
> machines. Duplicate sid's in a workgroup environment will create problems
> since the domain part of the sid doesn't exist and security is messed up.
> Read the link below to get complete details and to download the
> executable.
>
> In the future I would suggest you building a sysprep image
>
> http://technet.microsoft.com/en-us/s.../bb897418.aspx
>
> The loss of access to the shares is probably related to workgroup style
> connections. It sounds like you have found the solution, so you should
> roll with it.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Rich" <spam@nospam.com> wrote in message
> news:F91ED391-B5A6-44E3-AA9C-07324485B42C@microsoft.com...
>>I have this issue where workstations appear to not be properly joined to
>>the domain. They were at some point working but eventually they stopped
>>running logon scripts or cannot map shares. That is because we replaced
>>domain controllers and file servers which at that point they cannot access
>>the shares so they cannot map drives, run logon scripts or get GPOs.
>>Rejoining them to the domain fixes the issue but need to find the root
>>cause. So far the only thing I have found in common is that they all have
>>the same SIDs from the image when they were put in place. So my question
>>is what is the known affects of joining workstations to AD that have been
>>imaged but not syspreped or newsid ran on them? Thanks.
>