The fastest way to build a larger virtual environment (either test or production), is to install one VM and then clone it. This process is not the same for every environment. Additionally, it depends on the mechanism of the VM cloning process.
Additionally, every computer in the AD domain has its own identification. This identification is not its name. The computer name is useful for us. Moreover, this identifier must be unique.
On the machine level, every computer is identified by a unique value; named Security ID or SID. SID is calculated in the process of the installation of every Windows machine. Whether the computer is part of the workgroup (or it’s just a stand-alone computer), the value of SID is not crucial.
We’ve just discovered a potential problem. Whenever we need to build the AD domain, we need to have machines with different SIDs. Even more, when we build our virtual lab in Oracle VirtualBox (VBox), the clones will always keep the old SID from the original machine.
I discovered this problem preparing an article about remote administration and NIC teaming. Even better; I found the solution for this situation. So hold your breath and keep reading.
Joining VM to the domain
I needed at least two servers for my scenario. That’s not a problem with VBox VMs. I have installed one VM under Windows Server 2012 R2. I just need to make two linked clones and to save the precious disk space. My SSD drive is limited in size.
I made two VMs. The first became the AD domain controller server. When I tried to add the second machine into the domain, I faced the error. The SID of the domain (i.e. the domain controller) is the same as the SID of this VM.
If you check this message, you will see that you have the solution right in front of you. We need to run the tool named SysPrep. The SysPrep (or System Preparation) tool should sounds familiar to every seasoned Windows admin.
Yes, with the SysPrep tool we can delete the SID and all other settings, leaving the machine in an uninitialized state. The machine will be initialized on its first run. This mechanism allows admins to clone both physical and virtual machines easily.
Don’t forget to check the bottom-right corner of this screenshot (above). Our VM has 175 days left until expiry of the evaluation license.
The SysPrep tool
The SysPrep tool is located on the path %systemroot%\System32\SysPrep. In most cases, this is equivalent to the path C:\Windows\System32\sysprep. You have this tool in the Windows 7 and later workstations, GUI versions of Widows Server, and also on the Core version.
Locate the SysPrep tool and run it as administrator. After a while, the application window will appear on the screen. In the Core version just type the command. The rest is the same.
Leave the System Cleanup Action drop-down menu on the option Enter System Out-of-Box Experience (OOBE). We want to clean all personalized settings of the machine.
However, we want to return this machine to an uninitialized state, as we just installed it. Therefore, tick the checkbox named Generalize.
The third option depends on your preferences. If you only need to clear the state on this machine, you will probably need to reboot it and continue to work. However, when you want to reset your master machine, you will need to shut it down after this process finished.
In this scenario, I only needed reinitialize this VM and I clicked on the button [ OK ]. The SysPrep tool will start. The rest of the process is automated and you can’t cancel it.
The first phase is the cleanup phase, where settings will be cleared. The second phase will perform generalization (re-initialization) of the machine.
After a while, our machine will reboot.
Re-birth of our server
My VM for the second server rebooted and started up. The first screen is usual for the Windows Server 2012 R2 boot sequence; then came the pleasant surprise.
Windows Server discovered that its device database is empty, so it started to search; the system now needs to detect all existing hardware.
One significant advantage here is that we may have a larger pool of device drivers, especially those for VBox integration. SysPrep will delete personalization and settings, but not the files on the disk.
When server finished with initialization (during which you need to specify again the admin’s password), we can proceed to join the domain.
Server is in the domain
Before we continue, please, once more check the bottom-right corner. We have 180 days left. This proves that our server is completely reinitialized, as if it’s just been installed. That also means that any previously installed application needs to be reinstalled.
I again changed the server name to SERVER02 and joined it to the domain. Then I proceeded to the test scenario.
As you can see, this small yet powerful tool can be very useful. You should perform generalization of the VM template after the installation. Then, every new VM based on that template will be different from any others. Although you need a few minutes more to setup every new VM, that short time will be of great benefit later.
10 thoughts on “Changing SID of cloned VMs”
[…] NOTE: 我们这个环境有很多的机器，我采用了复制 VMWare 主机文件夹的方式来创建新的 Server 或者 Client，不然一个一个安装太费时间。但是要注意，Domain Controller 在 Promote 那一步的时候，如果两个 Domain Controller 是复制的，他们会有相同的 SID，那么第二个 Domain Controller 会 Promote 失败。解决方式是使用 Sysprep 工具来做恢复出厂设置一样的操作，可以刷新主机的 SID。我并没有测试，我把链接放在这里，大家遇到这个问题的话，可以尝试使用。 […]
[…] https://mivilisnet.wordpress.com/2017/06/29/changing-sid-of-cloned-vms/ […]
You can also use Stratesave SID change. I have used it for years on my Hyper-V systems.
On Hyper-V you can change SID when you import any VM.
It’s good to know about this tool. However, this tool is not free. I found on their site: SIDCHG is free to try for evaluation for 30 days maximum, but not free to use.
A much easier and faster way is to export the source machine and DO NOT copy it. Just import using Hyper-V it into a new location and the Hyper-V manager will assign a new SID (It will ask if you want to assing a new SID) without changing the basic configuration back to start
Yes, that’s the recommended way on the Hyper-V platform. However, not every platform support this option.
Even better, there is interesting Mark Russinovich’s blog post about SIDs – https://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx
Is that also true of domain controllers that are running in VM? Can those be exported and imported with a SID change or will the trust relationships with all the PC’s be destroyed?
Yes, when you start the sysprep process, it will delete everything.
Now, if you work with Hyper-V, it should import every new instance of the same VM with alternate SID.
In case that you cannot do that, you can always create multiple clones from the same template, than you can perform SysPrep on each one and you will have unique SID for each VM. Yes, that’s a bit more work but you can be sure that everything is fine.
Hope that this will help.