Cloning Windows Server 2008 R2: Use Sysprep (no more NewSID)
Posted on 30.Jul 2010 by Ray Heffer in Microsoft, VMware, VMware, Windows Server 2008 R2
It is not uncommon for system administrators to clone virtual servers or take an image of physical servers running Windows Server 2008 these days. There are plenty of tools to do that these days (Ghost, Acronis, Platespin for P2V conversions, etc.) If this is something you do regularly then you won’t be unfamiliar with Sysprep or NewSID, but according to Mark Russinovich at Microsoft, the SID doesn’t matter and Sysinternals have now retired NewSID (written by Mark). NewSID isn’t supported in Windows Server 2008 and the only option now is to use Sysprep. Whilst the facts presented on Mark’s blog are correct, I have personally seen many issues cloning or imaging Windows Server 2008 machines that haven’t been cloned with Sysprep first. Let me present a typical scenario that would cause problems here.
Scenario:
1) Build a Windows Server 2008 R2 server, apply patches and various tweaks.
2) Shutdown the server and take an image (or clone it to a virtual machine template). Note: I haven’t used Sysprep!
3) Deploy two new servers from the image or template. Promote one to a domain controller and add the other one to the domain as a member server.
In this scenario the first problem I would encounter is that any domain users that are a member of Domain Admins will not have the appropriate permissions to access PowerShell or Computer Management. The default Administrator account would work fine. Secondly, if I try and ping the domain controller I would get the following error:
C:\Users\User1>ping LAB-DC01
Unable to contact IP driver. General failure.
So the SID really does matter. Prior to taking your clone or image, just remember to use Sysprep as follows:
1) Run Sysprep (on Windows Server 2008 this is located in c:\Windows\System32\Sysprep\Sysprep.exe)
2) Ensure ‘System Out-of-Box Experience (OOBE)’ is selected
3) Tick the ‘Generalize’ option (this resets the SID)
4) Select ‘Shutdown’ from the Shutdown Options.
5) Once the machine has shutdown, take your image and you are good to go!
Thanks for reading! Feel free comment below
cloning, microsoft, newsid, sysprep
This is only applicable because your making your domain controller and the cloned server have the same SID. If you have two servers with the same SID it does not matter as long as it is not the same as your domain controller’s SID.
Not really true. if any of those duplicate SIDs are attempting to JOIN the same domain, there are issues. Im seeing this now. Granted my DC is Win2k3 (legacy reasons) and Im using a few 2K8R2 servers.
So, does the above process work if the master has been joined to a domain before cloning?
Also, do you need to do sysprep after cloning on the master in case you want to have the master on again for application updates or something?
Hi Ray, others,
Eyeopener! Had this issue once with 2003R2 and the tackled by using NewSID.
What I did recently was creating one machine in ESX by mounting .iso with 2008R2 sources.
I cloned it a few times to quickly set up an environment for some proof of concept. Red about the SID story (newsid not needed anymore f.e. Mark Russinovitch)As soon as I joined a server to the domain, I couldn’t do any management tasks on this machine (local machine, like .msc functions, activate Windows etc.) with a user account just created and member of domain-admins, machine operators… nothing helped out. Disabled UAC, firewall, all the same. Logging in with the built-in administrator account(AD) did work out (but not preferrable)
Fortunately, googling, the above article reminded me of my earlier experience so I took it for granted without a doubt.
Removed machine from domain, sysprepped with “generalize” checked and selected “shutdown”. Cloned it a few times (quite some settings were made and configured like disks, location of pagefile etc) then tried again; joined domain and everything fine! All machines.
Great!
Since sysprep became so simple in 2008R2, I can advise everyone to create Virtual – machines this way, just to exclude dependencies.
Thanks, cheers.
Rick.
I had none of these issues. I created a base image. Then shut it down and made 5 clones. One of the clones was turned into a DC. The other 4 were joined to that domain. All are Windows 2008 R2 machines. No errors. No messages. Everything pings, connects, accounts work, everything.
Yeap. Works. Untill you wil try intall Exchange for example…
Wait till you use other programs. WSUS for example. Clients will have the SUSID. you will see ghost machines appear and reappear.
I’m about to try this with 2008 SP2 (not R2). Is it really this easy? And can then I make multiple clones from the same source after running sysprep once on it? Or does sysprep need to re-run before each successive clone?
Thanks!
This video will puts an end to the SID argument. It was presented at the Europe 2010 Tech-Ed. The Microsoft speaker stated that dcpromo uses the machine SID to create the domain SID. So the Domain SID’s string has the Machine SID in it. According to the video it does matter. Basically you will end up with what the speaker refers to as “SID Filtering”, which is where the system granting permission throws out the requesting users SID’s because it thinks the users is trying to elevate its permissions. Its a good video, check it out.
http://www.msteched.com/2010/Europe/SIA320
Hi Ray,
Thanks for the info.
Running sysprep does make a difference.
My situation: (short story)
I wanted to do some testing with SCCM 2012 in preparation of the final release later this year (I currently run SCCM 2007). I created a virtual network using Hyper-V. Created the following virtual machines for my network: Server 2008 R2, Windows 7, and Windows XP. I then cloned the Server 2008 image and made it my ADDC. I joined the original Server 2008 to my domain as a member server, this would become my SCCM 2012 server. Certain Domain accounts needed to be added to the local Administrators Group on my SCCM 2012 server so access down the road would not present an issue. When I attempted to add these Domain accounts, a message would popup indicating that these accounts had already been added, yet they did not appear in the list. After searching Google for a resolution, I came upon your post. I removed my SCCM 2012 server from the domain and ran SYSPREP as you had indicated. I needed to reset the name and IP address back to what I had originally set them, and then I added it back to my domain. After I did this, I was able to add the required Domain accounts to the local Administrators Group, and the testing continues.
Thanks Again…
Ray,
I can’t even get the image to boot. I used a Bart’s PE network boot disk to network boot my winserv2k8r2 machine. This machine has not yet been joined to a domain, and I need to create three of them. Using Ghost solution suite 2.5.1, I used Ghost.exe to create the image of my base server. But when I restored the image to a different machine, it won’t even boot.
That may be basic, but it’s specifically Winserv2k8 related. I can ghost and recover XP machines just fine.
BTW, I didn’t Sysprep my base server, but (prior to Windows 7 at least) that has never mattered; I can, and normally do, run Sysprep prior to deploying. This has been a matter of choice more than anything else.
The real problem is that I can’t find any specific information anywhere; this blog is the closest I’ve come. And Symantec tech support is “less than steller”. I’m having difficulty believing that the tech in India understands what I’m doing, but I digress.
Can anyone point to some more definitive “how to” information?
Any help would be greatly appreciated.
in the same context: does it matter if ur using acronis or ghost for imaging?
No it shouldn’t matter whether you use Ghost, Acronis or even a P2V, V2V, etc.
What is the maximum number of clones we can create
You will also see issues caused by duplicate Sids if you are building a ForeFront TMG array with machines that have the same sid.
I will be cloning TMG servers on 2008R2, please elaborate.
Thank you, this manual is very helpful. Could you tell me if the following is possible?
In this scenario’s we need to make a clone of a running server (VMware) because the webserver is serving websites, and the only reason to clone, is to add an extra server to the hardware loadbalancer.
is it in such a scenario possible/enough to do the sysprep after the clone was made? eg on the new server (booted without network connection).
I would guess it receives a new SID and renames the server. Add different IP-address and you’re good to go?
Hi Ray,
Really Very nice information you have provided which helped me alot.
Thanks again.
Great article. I can confirm I had the same problem after cloning a Windows 2008 R2 virtual machine (using VMWare Workstation 7), promoting one of them as the DC, and joining the 2nd to the first one.
After that, Windows Authentication was not working in IIS (Event ID: 4625, Domain sid inconsistent).
I may need a bit of help. My system appears to have blown up after running OOBE. I thought I was fowling the steps outlined on the site.
1) Run Sysprep (on Windows Server 2008 this is located in c:\Windows\System32\Sysprep\Sysprep.exe)
2) Ensure ‘System Out-of-Box Experience (OOBE)’ is selected
3) Tick the ‘Generalize’ option (this resets the SID)
4) Select ‘Shutdown’ from the Shutdown Options.
5) Once the machine has shutdown, take your image and you are good to go!
I ran it and it appeared to be working until the reboot. It restarted and said ( Setup is starting services) then I get the install windows error ( Windows could not complete the installation. To install Windows on this computer, restart the installation. ) Hit OK then screen says.
(Setup will continue after restarting your computer.)
Then I get the same install windows error.
So what did I miss? I have no server anymore. How do I recover?
Please help. I really need this system to work. Or at least reboot into its normal server mode.
Thanks
Did you run Sysprep on a clean installation of Windows Server 2008 or a running production server?
This was run on what I would say is production. It has somewhat a special configuration on it. It is a MSPS 2010 Demo system that cannot be duplicated and it was not backed up. And cannot be replaced/rebuilt.
Tim
Hey Ray,
will I get a solution to my issue above.
I really need this to get resolved.
My project server is hard dead down. I have tried every recovery method i have. I cant even get it to come up up with a rescue disk. It blue screens dead every time. I have several recovery boot disks/software. It would appear that it is completely toast. In the past I have been successful in getting all sorts of crashes to get up, and to at least get to the drive.
Please help us. I can not rebuild this system at all.
If you would like to talk about it for more details, I am fine with that. and will pay to get it back. within reason. This is devastating to my business. There has to be something that can be done.
Tim
Hi Tim,
The purpose of my website is to share experiences, technical concepts and ideas; not to provide technical support to individuals. I would personally never run Sysprep on a live server, always take an image first then work on a cloned copy. Where are your backups? I’ve not experienced your issue before so I have nothing to share on this. It sounds to me like you need to be speaking to Microsoft Support, after all it is their product and tools you are having problems with.
There are forums and communities out there that will offer technical support, but are under no obligation to. Try Experts Exchange.
Thanks Ray.
I had thought I was shearing my experiences using a technical concepts on something that was made out to be simple. It failed and I was trying to get some advice from the experts. Also I have not run into such a issue. I have not run into an issue that I could not at least get the system even to run on a boot DR disk. It is like it has lost the hardware.
As I mentioned it is a portable DEMO system. and no there was not am image taken. I was trying to get an image from it to be used in a VM. On a laptop to be more portable for show and concepts to customers. It had a special configuration for the purpose of showing the system in action. I did not build it, and have no contact with who built it. Yes I had dropped the ball in not having a full backup. But as I cant even get it to run at all, makes it very hard to fix.
I had thought there was a “trick” or a bypass function key combination. like F8 for the windows boot screen to get into a recovery mode or get around it from trying to run the image it created. I don’t know that I am explaining it right.
I may contact Microsoft on it. Maybe I discovered a bug that they may like to know about. Or the people in this forum might like to know or watch out for. I can still build out a system to show my customers, but not like the one I had. I have other stuff on the drive that I would like to have off it. I can survive without the data, but if I cant get to it I can’t grab it.
Well thanks for your input.
Tim
Tim, have you seen this? http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/f7e1a2ce-f797-4e34-ae47-529926186275
The second answer down seems to have a fix, press Shift & F10 then you can get to a cmd prompt and resolve it. Might be worth a try.
Any update on this. If I can just get it back up maybe I can grab the image that it is referring to. But I really need to get it back.
I have not found any back out or recovery information.
How do you get around the boot like that?
Tim
I ran into this when duplicating a vmdk for a lab setup, used the same win2k3 server to promote as a another member server. Ran into an issue where I could not log onto the domain after joining due to this SID issue.
Mark’s a smart guy, but I think his mistake was in asking a Microsoft rep about this in the first place
It does matter, and for the record, I used newsid to regenerate the ID on the machine yet, I’ve had more problems with Sysprep than I have had with newsid.
Hey everyone – I have a question. I manage a xenapp farm and have been using sysprep on my servers to deploy new ones everytime I need to add a new application to my xenapp farm. However with windows 2008 r2 I have now run into a snag where you can only run sysprep with the generalize button ticket off 3 times and then you have to build a whole new server. This STINKS for me. Anyone have a way around this or any ideas on what I can do to continue the way I have been doing things?
Lynn,
That is an interesting one, I have used sysprep three times, no issues, I guess I might see them on the fourth. Please could you update us on where you found this?
Thanks,
Gabi.
I never use a clone for a dc, always a cd install of the os. Everything else I clone with vmware(with a different fresh install than the dc), no sysprep, and have never had issues. All servers have been windows 2008 and up. 300+ servers and 60% or so are clones, the rest were p-v. 5 different domains, all dc’s were created from cd install and no member servers were cloned from a dc install.
[...] http://www.rayheffer.com/619/cloning-windows-server-2008-r2-use-sysprep-no-more-newsid/ Cloning Windows Server 2008 R2: Use Sysprep (no more NewSID) [...]
duplicate NIC mac address are also a source of issue in case you copy a vm and run it without choosing “I copied the VM”. If you have teh same NIC for two machine the second machine will not communicate properly. Just a thought
as Marcin above has written, direct cloning of a virtual server will pose problems with Exchange Server. I’ve run into this issue myself, EMC will not work giving an error “Unexpected error [0xXXXXXXX] executing command ‘Get-LinkedRoleGroupForLogonUser’ more about it here:
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/925bbac0-8eaf-4097-ab12-40a143397b76/
I also tested Tim’s scenario and indeed got the same result with my test admin user copied in ADUC from the built-in admin.
However I’ve checked the SID’s of my DC and the ExSRV using PsGetsid and they’re not the same…
Using “wmic useraccount get name,sid” I also checked what SID’s I get on both servers for the Administrator account and they “match”, so I presume the access permissions for the Administrator account, which shows the same SID on both servers, should be the same, should they not? I’ve been using the built-in admin on the DC via domain login.
I know that getting a new image using sysprep will sort this out, but it keeps bugging me, as both servers have 2 different SID’s…
hi!,I really like your writing so much! percentage we communicate extra approximately your post on AOL? I require a specialist in this house to resolve my problem. Maybe that is you! Looking forward to see you.