Cloning Windows Server 2008 R2: Use Sysprep (no more NewSID)
Posted on 30.Jul 2010 by Ray Heffer in Citrix, Microsoft, Virtualisation, VMware, Windows Server 2008 R2
It is not uncommon for system administrators to clone virtual servers or take an image of physical servers running Windows Server 2008 these days. There are plenty of tools to do that these days (Ghost, Acronis, Platespin for P2V conversions, etc.) If this is something you do regularly then you won’t be unfamiliar with Sysprep or NewSID, but according to Mark Russinovich at Microsoft, the SID doesn’t matter and Sysinternals have now retired NewSID (written by Mark). NewSID isn’t supported in Windows Server 2008 and the only option now is to use Sysprep. Whilst the facts presented on Mark’s blog are correct, I have personally seen many issues cloning or imaging Windows Server 2008 machines that haven’t been cloned with Sysprep first. Let me present a typical scenario that would cause problems here.
Scenario:
1) Build a Windows Server 2008 R2 server, apply patches and various tweaks.
2) Shutdown the server and take an image (or clone it to a virtual machine template). Note: I haven’t used Sysprep!
3) Deploy two new servers from the image or template. Promote one to a domain controller and add the other one to the domain as a member server.
In this scenario the first problem I would encounter is that any domain users that are a member of Domain Admins will not have the appropriate permissions to access PowerShell or Computer Management. The default Administrator account would work fine. Secondly, if I try and ping the domain controller I would get the following error:
C:\Users\User1>ping LAB-DC01
Unable to contact IP driver. General failure.
So the SID really does matter. Prior to taking your clone or image, just remember to use Sysprep as follows:
1) Run Sysprep (on Windows Server 2008 this is located in c:\Windows\System32\Sysprep\Sysprep.exe)
2) Ensure ‘System Out-of-Box Experience (OOBE)’ is selected
3) Tick the ‘Generalize’ option (this resets the SID)
4) Select ‘Shutdown’ from the Shutdown Options.
5) Once the machine has shutdown, take your image and you are good to go!
Thanks for reading! Please comment or Tweet this page (see below)
Tweet
cloning, microsoft, newsid, sysprep
This is only applicable because your making your domain controller and the cloned server have the same SID. If you have two servers with the same SID it does not matter as long as it is not the same as your domain controller’s SID.
Not really true. if any of those duplicate SIDs are attempting to JOIN the same domain, there are issues. Im seeing this now. Granted my DC is Win2k3 (legacy reasons) and Im using a few 2K8R2 servers.
So, does the above process work if the master has been joined to a domain before cloning?
Also, do you need to do sysprep after cloning on the master in case you want to have the master on again for application updates or something?
Hi Ray, others,
Eyeopener! Had this issue once with 2003R2 and the tackled by using NewSID.
What I did recently was creating one machine in ESX by mounting .iso with 2008R2 sources.
I cloned it a few times to quickly set up an environment for some proof of concept. Red about the SID story (newsid not needed anymore f.e. Mark Russinovitch)As soon as I joined a server to the domain, I couldn’t do any management tasks on this machine (local machine, like .msc functions, activate Windows etc.) with a user account just created and member of domain-admins, machine operators… nothing helped out. Disabled UAC, firewall, all the same. Logging in with the built-in administrator account(AD) did work out (but not preferrable)
Fortunately, googling, the above article reminded me of my earlier experience so I took it for granted without a doubt.
Removed machine from domain, sysprepped with “generalize” checked and selected “shutdown”. Cloned it a few times (quite some settings were made and configured like disks, location of pagefile etc) then tried again; joined domain and everything fine! All machines.
Great!
Since sysprep became so simple in 2008R2, I can advise everyone to create Virtual – machines this way, just to exclude dependencies.
Thanks, cheers.
Rick.
I had none of these issues. I created a base image. Then shut it down and made 5 clones. One of the clones was turned into a DC. The other 4 were joined to that domain. All are Windows 2008 R2 machines. No errors. No messages. Everything pings, connects, accounts work, everything.
Yeap. Works. Untill you wil try intall Exchange for example…
I’m about to try this with 2008 SP2 (not R2). Is it really this easy? And can then I make multiple clones from the same source after running sysprep once on it? Or does sysprep need to re-run before each successive clone?
Thanks!
This video will puts an end to the SID argument. It was presented at the Europe 2010 Tech-Ed. The Microsoft speaker stated that dcpromo uses the machine SID to create the domain SID. So the Domain SID’s string has the Machine SID in it. According to the video it does matter. Basically you will end up with what the speaker refers to as “SID Filtering”, which is where the system granting permission throws out the requesting users SID’s because it thinks the users is trying to elevate its permissions. Its a good video, check it out.
http://www.msteched.com/2010/Europe/SIA320
Hi Ray,
Thanks for the info.
Running sysprep does make a difference.
My situation: (short story)
I wanted to do some testing with SCCM 2012 in preparation of the final release later this year (I currently run SCCM 2007). I created a virtual network using Hyper-V. Created the following virtual machines for my network: Server 2008 R2, Windows 7, and Windows XP. I then cloned the Server 2008 image and made it my ADDC. I joined the original Server 2008 to my domain as a member server, this would become my SCCM 2012 server. Certain Domain accounts needed to be added to the local Administrators Group on my SCCM 2012 server so access down the road would not present an issue. When I attempted to add these Domain accounts, a message would popup indicating that these accounts had already been added, yet they did not appear in the list. After searching Google for a resolution, I came upon your post. I removed my SCCM 2012 server from the domain and ran SYSPREP as you had indicated. I needed to reset the name and IP address back to what I had originally set them, and then I added it back to my domain. After I did this, I was able to add the required Domain accounts to the local Administrators Group, and the testing continues.
Thanks Again…
Ray,
I can’t even get the image to boot. I used a Bart’s PE network boot disk to network boot my winserv2k8r2 machine. This machine has not yet been joined to a domain, and I need to create three of them. Using Ghost solution suite 2.5.1, I used Ghost.exe to create the image of my base server. But when I restored the image to a different machine, it won’t even boot.
That may be basic, but it’s specifically Winserv2k8 related. I can ghost and recover XP machines just fine.
BTW, I didn’t Sysprep my base server, but (prior to Windows 7 at least) that has never mattered; I can, and normally do, run Sysprep prior to deploying. This has been a matter of choice more than anything else.
The real problem is that I can’t find any specific information anywhere; this blog is the closest I’ve come. And Symantec tech support is “less than steller”. I’m having difficulty believing that the tech in India understands what I’m doing, but I digress.
Can anyone point to some more definitive “how to” information?
Any help would be greatly appreciated.
in the same context: does it matter if ur using acronis or ghost for imaging?
No it shouldn’t matter whether you use Ghost, Acronis or even a P2V, V2V, etc.
What is the maximum number of clones we can create
You will also see issues caused by duplicate Sids if you are building a ForeFront TMG array with machines that have the same sid.
I will be cloning TMG servers on 2008R2, please elaborate.
Thank you, this manual is very helpful. Could you tell me if the following is possible?
In this scenario’s we need to make a clone of a running server (VMware) because the webserver is serving websites, and the only reason to clone, is to add an extra server to the hardware loadbalancer.
is it in such a scenario possible/enough to do the sysprep after the clone was made? eg on the new server (booted without network connection).
I would guess it receives a new SID and renames the server. Add different IP-address and you’re good to go?
Hi Ray,
Really Very nice information you have provided which helped me alot.
Thanks again.
Great article. I can confirm I had the same problem after cloning a Windows 2008 R2 virtual machine (using VMWare Workstation 7), promoting one of them as the DC, and joining the 2nd to the first one.
After that, Windows Authentication was not working in IIS (Event ID: 4625, Domain sid inconsistent).