So I've previously cloned the thirteen Vista computers in out lab without any significant problems. Well, problems that I can point to the cloning process as the cause of the problem anyway. What have I been using to do the cloning? That would be the free linux-based Clonezilla. Just boot from the CD and follow the prompts. But, there's been this issue nagging at the backs of the minds of our computer team that we'd been ignoring since they're our computers in our control so until there was a problem, we could ignore it.
Then came ten new computers as part of a Gates grant that are going out to small rural libraries here in Nebraska. Hey, I'll just set one up and clone the other nine. But, in this case, once we've set the machines up, they'll be sent out across the state and out of our hands. Ah, that nagging problem starts shouting at us again. That problem is the issue of Security Identifiers (SIDs). What are those? Let's ask Microsoft:
"Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry (ACE), there is a SID that identifies the user or group for whom access is allowed, denied, or audited."
Yeah, that's a lot of help...
The gist of this is that for certain security features of Windows Vista this unique SID is used. The SID is generated as part of the initial setup of Windows. i.e. When you first boot the computer after you take it out of the box. If you have more than one computer with the same SID, this could cause problems. The trouble is, cloning a hard drive also clones the SID. Bingo! I've now got ten computers all with the same SID. In fact, Microsoft has a Web page that specifically tells you not to do what I did. It's title: Do not disk duplicate installed versions of Windows. Here's what it says:
"Computers that are running the Windows operating system use a Security ID (SID) to uniquely identify themselves. When you use disk-duplicating software, it is important to take steps to ensure the uniqueness of these Security IDs."
Yep, the computer team's fears were based in fact. I even double-checked by downloading a small program named PSGetSid to verify the duplication of the SID in question.
"Have you performed a rollout, only to discover that your network might suffer from the SID duplication problem? In order to know which systems have to be assigned a new SID (using a SID updater like our own NewSID), you have to know what a computer's machine SID is. Up until now, there's been no way to tell the machine SID without knowing Regedit tricks and exactly where to look in the Registry. PsGetSid makes reading a computer's SID easy, and works across the network so that you can query SIDs remotely. PsGetSid also lets you see the SIDs of user accounts and translate a SID into the name that represents it."
So, now the ultimate question: How to clone a computer and yet still have unique SIDs on each of the clones. After way to much searching and reading I found a handy little program from Microsoft that supposedly solves this problem. That program is Sysprep.
"The System Preparation (Sysprep) tool prepares an installation of Windows for duplication, auditing, and customer delivery. Duplication, also called imaging, enables you to capture a customized Windows image that you can reuse throughout an organization."
Turns out that Sysprep comes with Vista. You can find it at C:\Windows\system32\sysprep. (Don't run this on your computer! ONLY run this on a master that you plan on cloning. If you run it on a computer you actually want to continue to use, you might just mess it up a smidge.)
So more reading and more reading and I finally found the following from Microsoft:
Creating a Build-to-Plan (BTP) Windows Image
In the build-to-plan (BTP) scenario, you create a single Windows reference image to install computers that use the same hardware configuration. You customize the single Windows reference installation by installing Windows and then adding additional drivers and applications. You then capture the Windows image and use it to install your computers. No additional modifications are made to this image.
This scenario comprises the following stages:
- You install Windows on a reference computer.
- After the installation is complete, you boot the computer and install any additional device drivers or applications.
- After you update the Windows installation, you run the sysprep /oobe /generalize command. The /generalize option instructs Sysprep to remove system-specific data from the Windows installation. System-specific information includes event logs, unique security IDs (SIDs), and other unique information. After the unique system information is removed, the computer shuts down. The /oobe option instructs the Windows installation to run Windows Welcome the next time the computer boots.
- After the computer shuts down, you can boot to Windows PE or another operating system on the computer.
- You then capture the Windows installation with ImageX, [I'm using Clonezilla instead, M] by creating a reference image with which to install computers with the same hardware configuration.
Well, that sounds like what I want to do so I gave it a shot. I set up one computer just how I wanted it (a full set up updates, installed Firefox, AV software, Steady State, and created the accounts I needed,) then ran Sysprep on that computer. Here's what the program looked like:
What you see here are the setting that I used. I chose the OOBE option to get the cloned computers to act like it just came out of the box when first booted, and checked Generalize to reset certain settings, most importantly the SID which was central to why I was going through all of this.
I clicked OK and the computer did a few things and then shutdown. Next, I hooked up my drive to clone to and ran Clonezilla. When that was done I removed the cloned drive from the master computer, popped it back into it's original case and booted up the cloned computer.
I was told the the computer was setting itself up and it rebooted itself once during this process. I was then Welcomed to Windows, asked to accept the licenses, set the time, and create a new account. The account creation bit worried me a bit since I'd already created the accounts I needed but I had to follow through. So, I created an account named "m" with a password of "m" just to make things simple.
Once setup completed I was presented with the Windows logon screen which contained the two previously created accounts and the new "m" account. I logged into the admin account and found that all of my updates, settings, and software were exactly as they should have been. I just deleted the "m" account and I was pretty much all set. There were just two other things:
First, I ran PsGetSid on the cloned computer to make sure this one had a different SID from the original. Yes, it did.
Second, I did have to delete and re-create the second account that was on the cloned computer that I'd originally created on the master. I'm not exactly sure why but I have two theories.
- Theory one:
It had something to do with cloning a computer that had Windows Steady State installed and locking that account. If this was the problem the solution would be to not clone a locked account, but to lock the account on the cloned computers.
- Theory two:
The Sysprep tool doesn't like computers with multiple accounts. This theory is based on the idea the OEMs like Dell and Gateway don't ship computers with multiple accounts (if any) pre-installed on a computer. If this was the problem the solution would be to have just one account created on the master and then create additional needed accounts on the clones.
UPDATE 03 Nov 08: Turns out theory one seems to be the correct one. I've since cloned other computers where the public account wasn't locked by SteadyState and the account came through the cloning process in tact.
Despite this final "problem" it was more just an annoyance. This whole process was still much shorter than if I'd had to boot all ten computers and install all the software and updates individually. Also, each time I did it, the process took a little less time as a result of the repetition of the process. I've got another 30-40 computers I'll be doing this to in September and plan on following this process. If I find any additional details then, I'll be sure to post them.
Labels: microsoft, vista, windows