Thanks to recent answers to my questions, I was able to use sysprep to create a Windows 7 system image ready for deployment in our organisation.
I learned that the process of using sysprep creates a new machine SID for the system, rendering running the newSID software unnecessary on newly deployed systems. Also, I saw Mark Russinovich's blog post that machine SIDs are no longer an issue. However, I am still a bit confused:
As one of the tech support technicians in our group, I sometimes get calls from clients whose computers would be unable to connect to our Windows domain, or can't login using their AD credentials (the error messages would be along the lines of "the domain can't be reached" etc., while other computers can).
According to one of our admins, the fault lies with duplicated computer SIDs, since the computer fails to log in because another computer with the same SID is already logged in. He said this is why sometimes a computer that fails to join the domain now would suddenly be able to join an hour later because the other, conflicting machine is off.
He would ask us to run newSID on the problematic computer to solve the issue. Interestingly, after (1) leaving the domain, (2) running newSID, then (3) re-joining the computer to our domain, the user would then be able to log in with the AD account. This appears to conflict with the blog post I mentioned which claims machine SIDs are no longer useful.
To better help my clients and to better understand how this all works I'd like to ask the following:
(1) AFAIK, newSID and sysprep both give the computer new machine SIDs. How does this machine SID play any role in the success of joining a domain or logging in to the computer with AD credentials? What happens when two systems with the same machine SID try to do it? Does the "SID conflict" our admin said has anything to do with this? Why might running newSID help?
(2) Is this issue different between Windows XP and Windows 7?
(3) Does Microsoft have any official documentation regarding all this?
Thank you in advance for your help!
Best Answer
It wouldn't help. There's some other problem that's being resolved (or temporarily swept under the rug) by rejoining the domain.
The only case where this would cause problems with the domain is if the machine were a clone (with no new SID) of the first domain controller that was used to create this domain.
The SID being regenerated by NewSID is not the SID (or more accurately, sub-authority ID) of the computer object in active directory (which is where you might run into conflicts), it's the authority ID that's used for the local user account database.
Going back to the "first domain controller" - the SID authority ID from that machine becomes the authority ID of the domain; other systems which have that same SID for their local users as well would run into issues on the domain. Other than this case, there's no possible conflict - especially not one that would cause communication problems with the domain.
In other words - he's got you looking in the wrong place :)
Nope, same behavior.
That blog post is probably the best doc there is, really.