Tip

The "evils" of cloning

In an effort to expedite and streamline the network set-up process, sometimes cloning is used. William Zack writes in his book Windows 2000 and Mainframe Integration that cloning can cause damage to systems, and, if you have inadvertently inflicted this damage on your system, there are ways to fix it.

From Windows 2000 and Mainframe Integration by William Zack, MTP, 1999.

The Security Identifier (SID) is the fundamental identifier in Windows 2000. Windows 2000 will normally create a brand-new, unique Security ID for every domain, user, group, workstation, and server when it is created. All user accounts created on a computer that has a security database (such as workstations, member servers, and domain controllers) have this Security ID as their parent "authority" and increment a subauthority value starting at 100.

There is one dangerous exception to this rule. To roll out large numbers of Windows 2000 systems rapidly, many companies have resorted to a process known as cloning. During cloning, a disk-image copy of a system is made and then copied to load many new systems. (Several utilities on the market do this. The most popular of these are Ghost from Ghosts Software and Image Drive from Powerquest). The problem with this technique is that every system created in this fashion has the same Security ID. Because new account Security IDs all increment from 100, this will almost surely create duplicate account Security IDs on multiple

    Requires Free Membership to View

systems. This will create havoc with security that is based on the Security ID uniquely identifying a user account. This was a minor problem with Windows NT, but it is guaranteed to be a problem with Windows 2000.

If you have used this method to clone systems, you should use one of the available Security ID change programs, such as the free NewSID utility from Mark Russinovich and Bryce Cogswell. You can download this utility from their Web site at  System Internals. (Free, of course, is a relative term. You will still have to visit all the affected systems to change their Security IDs. I would not want to have to do this to large numbers of workstations, for instance.) The cloning packages mentioned here have also recently added Security ID changer features to their products. Unfortunately, countless systems have already been created without duplicate SIDS.

For more information on Windows 2000 and Mainframe Integration go to the book page at  New Riders Publishing or  InformIT.com


This was first published in May 2000

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.