Problem solve Get help with specific problems with your technologies, process and projects.

The "evils" of cloning

Administrator Tip: The "evils" of cloning

In an effort to expedite and streamline the network set-up process, sometimes cloning is used. William Zack writes in his book Windows 2000 and Mainframe Integration that cloning can cause damage to systems, and, if you have inadvertently inflicted this damage on your system, there are ways to fix it.

From Windows 2000 and Mainframe Integration by William Zack, MTP, 1999.

The Security Identifier (SID) is the fundamental identifier in Windows 2000. Windows 2000 will normally create a brand-new, unique Security ID for every domain, user, group, workstation, and server when it is created. All user accounts created on a computer that has a security database (such as workstations, member servers, and domain controllers) have this Security ID as their parent "authority" and increment a subauthority value starting at 100.

There is one dangerous exception to this rule. To roll out large numbers of Windows 2000 systems rapidly, many companies have resorted to a process known as cloning. During cloning, a disk-image copy of a system is made and then copied to load many new systems. (Several utilities on the market do this. The most popular of these are Ghost from Ghosts Software and Image Drive from Powerquest). The problem with this technique is that every system created in this fashion has the same Security ID. Because new account Security IDs all increment from 100, this will almost surely create duplicate account Security IDs on multiple systems. This will create havoc with security that is based on the Security ID uniquely identifying a user account. This was a minor problem with Windows NT, but it is guaranteed to be a problem with Windows 2000.

If you have used this method to clone systems, you should use one of the available Security ID change programs, such as the free NewSID utility from Mark Russinovich and Bryce Cogswell. You can download this utility from their Web site at  System Internals. (Free, of course, is a relative term. You will still have to visit all the affected systems to change their Security IDs. I would not want to have to do this to large numbers of workstations, for instance.) The cloning packages mentioned here have also recently added Security ID changer features to their products. Unfortunately, countless systems have already been created without duplicate SIDS.

For more information on Windows 2000 and Mainframe Integration go to the book page at  New Riders Publishing or

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.