How to change SID of deployed server?
I needed to setup 2 vms and naively simply setup one from scratch, made sure it worked correctly, then copied it to another host. Now getting message "the trust relationship between this workstation and the primary domain failed" which apparently is due to the SID being the same on both machines. I've looked around and see a lot of conflicting info about sysprep and how to resolve at this point.
Can I just update SID the machine having domain issues and then all will be well? If so, how can I accomplish that? Thank you
The only Microsoft supported method to change the SID of the computer is to run sysprep with the /generalize option
edit: So.. clarifying. This goes back to the idea that the computer SID really doesn't matter (except for domain controllers) because it's really the computer account SID in the domain that matters and not the computer/machine SID itself. Removing/deleting/Rejoining the computer will create a unique computer account SID in the domain and would really resolve his issue. But it would not, in the technical sense, create a new SID for the computer itself.
Mark Russinovich discussed the unique machine SID "myth" and there is a follow up article by a different author that goes into additional detail. Finally, there is this MSDN post that, I find, illustrates the machine vs domain computer account SID pretty clearly.
Personally, I've run into the duplicate SID issue where a cloned system was used to create the Domain Controller for a new domain at the start of a domain migration project and the servers in the source domain were not able to authenticate users on the new target domain or join the target domain due to the SID duplication. So, 99% of the time, it doesn't matter.. but when it does matter, it sucks. As a result, I still recommend users generate new machine SID's when they are able to.
"Can I just update SID the machine having domain issues and then all will be well? If so, how can I accomplish that?"
Yes, you can. In Active Directory you will need to delete the computer object of your problem server and then rejoin it to the Domain. This will get you a new SID for the server. However, doing this creates a new Computer Object for your server so all of its group memberships, permissions, etc. will need to be recreated because it has a new SID. Active Directory doesn’t see it as the same server.
EDIT I followed my own instructions and found that my server was issued a new SID. My forest is Windows Server 2012 level.
Before I deleted my server from AD and removed it from the domain
The SID after rejoining the domain.
I had to restart two times after joining back to the domain. So, to me, the computer receives a new SID from Active Directory after
- deleting the computer object in AD
- Removing from Domain
- Joining the Domain again