How to change SID of deployed server?

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about How to change SID of deployed server? was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, active-directory, windows-server-2012-r2, vmware-esxi, .

I needed to setup 2 vms and naively simply setup one from scratch, made sure it worked correctly, then copied it to another host. Now getting message “the trust relationship between this workstation and the primary domain failed” which apparently is due to the SID being the same on both machines. I’ve looked around and see a lot of conflicting info about sysprep and how to resolve at this point.

Can I just update SID the machine having domain issues and then all will be well? If so, how can I accomplish that? Thank you

The only Microsoft supported method to change the SID of the computer is to run sysprep with the /generalize option

edit: So.. clarifying. This goes back to the idea that the computer SID really doesn’t matter (except for domain controllers) because it’s really the computer account SID in the domain that matters and not the computer/machine SID itself. Removing/deleting/Rejoining the computer will create a unique computer account SID in the domain and would really resolve his issue. But it would not, in the technical sense, create a new SID for the computer itself.

Mark Russinovich discussed the unique machine SID “myth” and there is a follow up article by a different author that goes into additional detail. Finally, there is this MSDN post that, I find, illustrates the machine vs domain computer account SID pretty clearly.

Personally, I’ve run into the duplicate SID issue where a cloned system was used to create the Domain Controller for a new domain at the start of a domain migration project and the servers in the source domain were not able to authenticate users on the new target domain or join the target domain due to the SID duplication. So, 99% of the time, it doesn’t matter.. but when it does matter, it sucks. As a result, I still recommend users generate new machine SID’s when they are able to.

“Can I just update SID the machine having domain issues and then all will be well? If so, how can I accomplish that?”

Yes, you can. In Active Directory you will need to delete the computer object of your problem server and then rejoin it to the Domain. This will get you a new SID for the server. However, doing this creates a new Computer Object for your server so all of its group memberships, permissions, etc. will need to be recreated because it has a new SID. Active Directory doesn’t see it as the same server.

I followed my own instructions and found that my server was issued a new SID. My forest is Windows Server 2012 level.

Before I deleted my server from AD and removed it from the domain
enter image description here

The SID after rejoining the domain.
enter image description here

I had to restart two times after joining back to the domain.
So, to me, the computer receives a new SID from Active Directory after

  • deleting the computer object in AD
  • Removing from Domain
  • Joining the Domain again

If the instance is not busy, or its a new installation, run C:Windowssystem32>Sysprepsysprep.exe and check generalize

Check out the spiritual successor to NewSID, SIDCHG:

Command-line utility to modify local computer SID and computer name,
for Windows 2016/10/8.1/2012 R2/8/2012/7/2008 R2/2008/Vista/2003/XP.
It replaces current computer SID with new random SID. In addition, it
changes the WSUS ID for Windows Updates, the MachineGuid, the Device
Identifier for modern Windows apps, the MSDTC CID, the Dhcpv6 DUID,
and the encryption state to preserve encrypted files, Windows Action
Center settings, Certificates and other encrypted stored information.

Leave a Reply

Your email address will not be published. Required fields are marked *