SID error on cloned Virtual Server / VPC / VMWare OSes

by Bharat Suneja

If you simply copy an existing Windows OS image to create multiple virtual servers/workstations, and try to log on to a domain controller, you may get the following error:

The system or security ID (SID) of the domain specified is inconsistent with the trust information for that domain.

This happens because the SID of the computer was not changed when you made a copy of the virtual hard disk containing the OS. It’s a best practice to use Sysprep for base drive images and also cloned images (previously restricted to disk imaging utilities such as Symantec Ghost, but made effortless with virtualization and virtual machines). In fact, Microsoft support policy requires that cloned images be Sysprepped. See KB 3182828: The Microsoft policy for disk duplication of Windows installations, which states:

When you deploy a duplicated or imaged Windows installation, it is required that the System Preparation (Sysprep) tool is used before the capture of the image.

Nevertheless, if you haven’t done that, log in to the computer locally. Use the PsGetSID and NewSid utilities from the Sysinternals web site.

Note, using NewSID to create a new SID is not supported by Microsoft, as noted in KB 314828. You can use the following procedure for test environments to avoid recreating VMs.

  1. Get the SID of local computer and copy it to Notepad:

    PsGetSID

  2. Get the SID of the domain controller and compare the two SIDs:

    PsGetSID \\DomainController -u username -p password

    If they’re the same, now you know the reason why!

  3. Proceed with the NewSID utility to generate a random SID for the computer. This takes a little while as NewSID replaces the old SID with the new one in the registry, amongst other things. Once done, the computer will reboot automatically (there’s a checkmark to reboot… leave it unchecked if you don’t want to reboot.)

You can now log in to the domain without getting the SID error.

Sysinternals has retired the NewSID utility. See Cloned machines and duplicate SIDs for an update on the NewSID utility and new information regarding duplicate SIDs.

{ 2 comments… read them below or add one }

Alpesh Shah May 6, 2009 at 5:15 am

Thanks !

Really usefull Link….

Reply

Bharat Suneja January 4, 2010 at 9:04 am

@kam: Microsoft acquired Winternals in 2006. You can find the tools at Windows Sysinternals on microsoft.com.

Reply

Leave a Comment

Previous post:

Next post: