I have a number of machines running Win2k3 and 2k8R2 that I would like to join to a domain. All the machines have been imaged from the same image, without using sysprep or anything similar. This means they all have the same SID. Am I going to run into any issues if I try to join all of these to the same domain?
I've already tried this with a couple test machines, and I experienced issues when the domain controllers came from the same image as all the other computers (I was seeing error log messages complaining that the domain controller SID was the same as the machine SID).
I did another test with freshly installed domain controllers (so they had different SIDs), and everything seemed okay.
I've done some research on this, and found some conflicting information. I can find a lot of references to this post, which seems to indicate that the duplicate SIDs are okay. I also find a lot of people saying horrible unspeakable things will happen unless I correct the SIDs.
Are these duplicate SIDs going to cause a problem?
Before anyone suggests any of these:
- Doing fresh installs of all these machines with new SIDs is out of the question, it would take many months to get through all the machines.
- Newsid.exe has been officially deprecated, and is not something that I would feel comfortable attempting. The developer of it has not tested it on anything newer than XP.
- Sysprep is not supported on existing machines. (second paragraph)
Duplicate machine SIDs are not a problem. This is why tools like NewSID are deprecated. In fact, in the blog post about why NewSID is deprecated, there are about 2 pages of text that explain why it's not a problem.
The only time that a local machine SID is exposed outside of that machine is when the first DC in a domain is promoted. It's local SID is used to create the domain SID. This explains why you have problems with cloned DCs.