Friday, December 21, 2012

Dude Where Did my AD Account Go? Troubleshooting Duplicate SID's.

Hello Dear Reader!  I've been working on Setting up a Virtual Lab in using Virtual Box on my work laptop.  I originally thought of blogging through all of this but I've had a few issues.  I stepped away from this project at one point in time and was using a personal one.  However I really want to get this work on my Pragmatic Works laptop.

I may go back and do a step by step once I've got my feet underneath me, but for now I'll just be happy to have this up and running.

I've finally gotten my Domain Controller Online, Added two Servers to my Domain, and then I wanted to add a Domain Account as an Admin to each Server.  

So I logged onto the sever using the local admin, opened up Server Manager, opened up the Configuration tree, Opened Local Users and Groups, and Clicked on Administrators.

As I expected only the local admin account and a local SQL Server Account, that I'll be replacing with a domain account.

So I click add, type in SQLBalls, Authenticate to my domain to get the account added, and everything looks good.  I hit OK.

Hey where'd my AD account go?

So I went through the whole process again.  Click Add, added SQLBalls, validated against the Domain Controller, and then I get this error.

Well if my account is already in the group, then why isn't is showing up.  So I turn to trusty old DOS and open a Command Prompt Window and run net localgroup "administrators".

Sure enough my domain account is not in there.  It didn't take much searching on the Intrawebs to find other people with my issue.  After a little while I found people encountering this error when they had Cloned a VM.

The Domain Controller and the VM had the same SID's, Security Identifiers.  So to validate this I went and grabbed the handy sysinernals tool PSGetSID, to get this click here.  

Once I had downloaded this to my software share I put it on my Domain Controller and one of my other Servers.  I extracted it to a folder called PSGetSID, I know *how original*, navigated to the folder, and typed in psgetsid.

Now that I know what my SID for my Domain Controller is I need to find it for my other computer.  I extract the files and run the command and VOILA!

Sure enough I have duplicate SID's.  If you notice up at the top the Account name has a SID after it, before I click OK and it disappears.  That SID is the same one as both of my computers.


So duplicate SID's are preventing me from adding one AD account to other computers on my domain. I had set up an image of Windows 2008 R2 that was my base image.  I had been keeping the widows update current, but I left it pretty much alone.  I would clone it before I taught a class, did a presentation, or experimented on really f***ing up doing non best practice things on my computer.

So Cloning the same image to make my Domain Controller led to this error.

"So Balls", you say, "How do you fix it?  And isn't there a better way to do things."

Yes Dear Reader there is.  I was saved by this blog by Ilija Brajkovic.  There is a tool called sysprep.  I should have run that before to clean up my base image before cloning it.  Now I can use it to change my SID.  I start out by pulling up run and typing in sysprep and click OK.

It will open up sysprep in it's windows folder.  I then double click on the sysprep.exe in order to launch the application.

Now that sysprep is open I make sure OOBE is selected, I need to click Generalize in order to generate a new SID, and I will also select Reboot.  Then Click OK. This ran very quickly for me.

As Ilija notes there will be some additional information to enter on reboot.  Note *I SHOULD HAVE DONE THIS RIGHT AFTER CLONING*  After reboot You will get prompted for the language choice.  *Warning this will reset your image to a factory setting, if you already have SQL Server Installed this will erase the instance.  This will detach drives, this will reset your TCP/IP Settings.  DO NOT DO THIS IF YOU DO NOT WANT TO WIPE CLEAN YOUR VM*

Then you check the box to Accepte the Agreement.

Then wait while your settings are finalized.

When I log back in my VM has been reset, hence the Enter System Out-of-Box Experience.  The software I had installed is still there. But I'm no longer on the domain, my computer name is changed, and hopefully my SID is different.  Lets run PSGetSID to validate that.

Excellent!  I've got my new SID.  I need to set my NIC card again to be on the right network, rename my server, add it to the domain, and reboot.  After that I can go back into the setup for my AD groups and add my User Account.

This time when I click OK it doesn't go away.  Alright Dear Reader, I hope you enjoyed this one, it was a lot of fun to figure it out!



No comments:

Post a Comment