ActiveDirectory machine accounts: same SID after machine rebuild?

When a new Windows server machine joins a domain, AD seems to create a machine account "DOMAIN\MACHINENAME$" for that machine with a SID.

If the machine gets reimaged (with another OS, here: W2K8 instead of W2K3) and then rejoins the domin, will AD re-use the existing domain account with the same SID?

(Reason I'm asking is that we use some machine accounts as logins in SQL2008 databases..)

Thanks Max


Solution 1:

Max: Yes. The existing accounts and SIDs will be re-used.

As long as you don't delete the machine accounts from AD you'll be fine. When you disjoin the old machine the account will be disabled. When you join a new computer (or a new OS on the old computer) to the domain, using the name of an existing computer object in the Directory, the SID of the old computer object will be used. Your machine logons in SQL Server will continue to work fine.

Updated ENTIRELY for Oleg: You're mistakenly conflating the "machine SID" assigned locally in the registry of the member computer with the SID assigned by the DC to the computer object in the Active Directory.

Yes-- resetting the password on the machine account in Active Directory is what happens when you join the domain with a computer named the same as an existing computer object in the Directory. Joining the doamin doesn't change the SID assigned to that existing computer object, though. The SID of the AD computer object is the SID referenced in the SQL Server logons that the poster is talking about, not the local computer SID of the domain member computer.

Local machine SIDs of domain member computers mean nothing in an AD environment.

I'd recommend you read this blog entry from Mark Russinovich, creater of the "NewSID" tool, to get a better idea of why your tirade re: SID re-generation is off-base in a peer-to-peer environment.

Solution 2:

I always laughed at people that thought newsid (never used it) was doing something for them!

in this case a server would be presenting itself as domain\servername$ to the sql server thus as long it was a functional domain member the login would work.

non functional would be a domain joined server being cloned without sysprep being run.