home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
PCMania 75
/
PCMania CD75_1.iso
/
powerq
/
DRVIMAGE
/
SID
/
SIDTEXT.TXT
< prev
Wrap
Text File
|
1998-09-30
|
13KB
|
345 lines
Imaging Windows NT Workstations: Issues and Solutions
Overview
Issues and Solutions
Conclusion
Appendix
Overview
As the computer industry changes and develops, software companies are
creating software applications and operating systems that require
more time and effort to install. Microsoft« Windows NT« is one such
operating system. A full Windows NT installation, including
installation of common software applications, can take over an hour
to complete and require a technician's input throughout the process.
As companies migrate to Windows NT, they are finding the process to
be very time consuming and costly. For this reason, imaging
software has come to play an important role when upgrading or
configuring new workstations with Windows NT.
PowerQuest« makes the Windows NT workstation installation quick and
simple with its new imaging product, Drive ImageÖ Professional.
Duplicating Windows NT installations through imaging decreases the
installation time dramatically. Additionally, once an image is
created, duplicating it across multiple workstations is a
hands-free process. These advantages result in time and cost
savings from the otherwise lengthy Windows NT installation process.
However, duplicating NT workstations raises issues that must be
fully understood. This white paper will discuss the three main
issues: Duplicate Computer Names, Duplicate Security Identifiers,
and Broken Implicit Trusts.
Issues and Solutions
When an image is created, the computer name, security identifier
and machine account information are included within the image
file. All workstations installed from that image will then have
the same computer name and security identifier. Additionally,
having duplicate machine account information may break the trust
relationship between the workstation and the domain.
Duplicate Computer Names
Restoring an image of a Windows NT workstation results in
two or more workstations having the same computer name.
If these computers are connected to the same network, a
name conflict will occur.
Solution #1:
PowerQuest Drive Image Professional will
substitute a new computer name when the image is
restored. The user selects the computer name
replacement option and specifies a new name and
the partition containing the NT Registry.
The advantages to this solution include a
hands-free approach. Solution #1 avoids the
likelihood of booting the computer into a network
with duplicate names.
Solution #2:
After the image has been restored with Drive Image
Professional, boot the computer and change the
computer name from the Network Control Panel.
Duplicate Security Identifiers
What is a Security Identifier or "SID"?
The Security Identifier (SID) is a component of the
Windows NT security architecture that uniquely
identifies a computer, user, or group to the network.
During the Windows NT installation process
(at the point where a computer name is entered),
the computer is assigned a SID that will persist
through the life of the install. Only when Windows
NT is reinstalled will the computer SID change
values. The following is an example of a computer
SID:
S-1-5-21-1475229580-284950961-507081533
A user or group SID includes the computer SID and an
additional value called a RID that uniquely
identifies the user or group. A relative ID or RID
is attached at the end of the SID that identifies the
user or group. The following is an example of a user
SID which includes the RID:
S-1-5-21-1475229580-284950961-507081533-1000
On a local computer as well as in a workgroup, NT
stores users and groups on a per computer basis. As
a result, the SID associated with a particular user
will consist of 1) the computer SID of that computer,
and 2) a RID that is unique among users and groups of
that computer.
In a domain network, users and groups reside on the
Primary Domain Controller (PDC). The computer SID of
the PDC becomes the root SID for all users and groups
that exist in the domain. Users and groups then have
RIDs that are unique within the domain. The computer
SID of the PDC is commonly referred to as the domain
SID.
It is important to note that the domain SID
(computer SID of the PDC) is the only significant SID
in the domain network environment. The computer SID
associated with any other computer in the domain is
NOT used in the domain.
SID issues and imaging
Restoring an image of a Windows NT workstation may
result in two workstations having the same computer
SID.
The uniqueness of the computer SID is important to
network security in a Microsoft workgroup environment.
It will also be important in the Active Directory
network model of Windows NT 5. However, Microsoft
domain-based networks do not rely on the computer SID
and it is not required that it be unique in this
environment.
Duplicate Computer SID in Microsoft Workgroups
A duplicate computer SID in a workgroup environment
makes workgroup security unmanageable. It is
impossible to ensure that a given user has only the
intended access rights and permissions to workgroup
resources. Drive Image Professional can change the
SID during restoration which will avoid future
problems for Windows NT 5.0 For a scenario that
illustrates this, see appendix 1.
Duplicate Computer SID in Microsoft NT 5
The uniqueness of the computer SID will also be
important in the Active Directory network model of
NT 5. If one is actively imaging NT 4.0
workstations, migration to Active Directory may be
difficult due to the duplicate computer SID issue.
Drive Image Professional can change the computer
SID during restoration to avoid future NT 5
migration problems.
Duplicate Computer SID in Microsoft Domains
Microsoft domain-based networks are NOT affected by
having a duplicate computer SID among any of its
workstations or member servers. Only the domain SID
(computer SID of the PDC or Primary Domain
Controller and its BDCs or Backup Domain
Controllers) is required to be unique in this
environment.
Confusion may be caused here by mistaking the Broken
Implicit Trust issue (see Broken Implicit Trusts)
with the duplicate computer SID issue. The broken
trust issue in domain-based networks, while easily
solved, is an issue for Windows NT imaging. The
duplicate computer SID issue is not.
Avoiding the Duplicate Computer SID Problem
Solution #1:
Drive Image Professional will create
and replace the computer SID for each
workstation when an image is restored. The
user selects the SID replacement option and
specifies the partition containing the NT
Registry. This solution will resolve the
Windows NT 5 migration and workstation model
problems discussed above.
Solution #2:
The user creates an image of the Windows NT
workstation before the computer name is
assigned during the last phase of the Windows
NT install. At this point, a computer SID
has not been assigned. Thus, when the image
is restored and Windows NT is booted, Windows
NT will complete the install and assign a
unique SID.
The advantage to this approach is that Microsoft
will fully support imaged installs that were
created before the SID has been assigned.
Microsoft has publicly stated in the Microsoft
Knowledge Base Article ID #Q162001
(see appendix 2) that they will not support
workstations that have been imaged after the SID
is already assigned.
The disadvantage to this approach is that the
machine is only minimally configured. Thus,
most of the benefit of imaging has been lost.
Broken Implicit Trusts
NT Workstations in a Microsoft domain based network must
establish a trust relationship with a domain controller
in order to participate in the domain. This trust
relationship is characterized by a machine account
with a password that is negotiated between the
workstation and the PDC. This password changes every
seven days unless otherwise specified.
If the machine account is terminated on either end, or
the negotiated password becomes out of sync, then the
trust relationship is said to be broken. This will
result in the Windows NT error message:
"The system cannot log you on to this domain
because the system's computer account in its
primary domain is missing or the password on
that account is incorrect."
The machine account is created (or recreated) each
time the workstation joins the domain. A broken trust
therefore can be repaired by removing the workstation
from the domain, then rejoining it. A new machine
account is created with a new password and the trust
is re-established. If the machine name account is not
already created, then a new machine account must be
added to the server manager.
Imaging Issues
Broken trusts can occur during imaging of NT
workstations. Broken trusts are sometimes erroneously
associated with the Duplicate Computer SID problem
discussed previously. It is important to realize that
domains do NOT have a problem with duplicate security
identifiers. Domains do, however, depend on the
implied trust relationship between the workstation and
domain controller. Imaging can result in a broken
trust in the following scenarios:
Scenario #1:
An image of an NT workstation is created within the
first 7 days of joining a domain. After 7 days have
elapsed (i.e., the machine account password has changed),
if a problem occurs prompting the restore of the original
image, the original password will be incorrect and the
workstation will be locked out of the network.
Solution #1:
In Server Manager, add (or remove then add if necessary)
the workstation to the domain.
Scenario #2:
An image of an NT workstation is created after the first
7 days of joining a domain. After another password
change, if a problem occurs prompting the restore of the
image, the image password will be incorrect and the
workstation will be locked out of the network.
Solution #2:
In Server Manager add (or remove then add if necessary)
the workstation to the domain.
On the workstation, open the Network Control Panel and
under the first tab titled Identification, click Change.
Change out of the domain, and into a temporary workgroup,
click OK, and choose No to avoid restarting the
workstation. Then go back into the Network Control
Panel, and rejoin the domain. The message "Welcome to
the DomainName domain!" will be displayed, and the
password will be reset.
Restart the workstation.
It is possible to avoid machine account password
conflicts by disabling the periodic password changes
(see Knowledge Base article Q154501, Appendix 2).
It must be understood that this weakens the NT
security model.
Conclusion
PowerQuest offers powerful solutions to ensure that the imaging of
Windows NT workstations is fast, simple and secure. Drive Image
Professional includes a SID replacement utility which assures
that each workstation is assigned a unique computer SID. This
utility can be downloaded from our web site at
http://www.powerquest.com/technical/di/sid.html.
The SID utility has been working consistently in our lab and
at selected beta sites. When additional issues arise as we
continue to test and work with this solution, updates will be
made available on our web site. PowerQuest has built a
reputation for quality and expertise with hard-disk utilities
and wants, with your help, to build the very best solution for
Windows NT installation issues. PowerQuest is attempting to
get Microsoft's cooperation to permanently solve the problem.
Appendix
ò Article ID: Q162001
Microsoft Knowledge Base
ò Article ID: 154501
Microsoft Knowledge Base
ò How to add a computer to a domain
Microsoft Knowledge Base
http://premium.microsoft.com/
support/ntserver/serviceware/06900013.ASP
We welcome your suggestions and comments.
Please send an email to sid@powerquest.com
Copyright ⌐ 1997 PowerQuest Corporation, All rights reserved
All registered trademarks and trademarks are the property of
their respective holders.