However, duplicate SIDs can wreak havoc and cause major operational failures enterprisewide. For instance, you would have no way to differentiate local or remote accounts in a workgroup, because all the SIDs would be identical. System access restrictions would be wide open, even with permissions set, because user accounts would have identical SIDs. NT looks only at the account SID and not at the user account name. (For details about group accounts with default SIDs, see the Microsoft article "SID Values For Default Windows NT Installations" at http://support.microsoft.com/support/kb/articles/q163/8/46.asp.)
A similar scenario exists when you contemplate cloning NT domain controllers in a multimaster domain. Without unique SIDs, you can't guarantee access control.
Using SysPrep Is Easy
You clone a system with SysPrep in four basic phases: installing NT, installing applications, running SysPrep, and cloning the disk image to another disk. Let's take a close look at the details. Running the NT installation routine is self-explanatory. Be aware, however, that you're installing an OS and its components on a source PC to clone to other systems, so the cloned systems will use the configuration you define on the source PC until you modify the cloned systems to operate otherwise. Be sure you load the latest service pack and any associated post-service-pack hotfixes you might require. (To obtain service packs and hotfixes, go to the Microsoft FTP site at ftp://ftp.microsoft.com/bussys/winnt/winnt-public.)
During the NT installation, you need to define an administrator account password. Microsoft recommends that you set this password to be blank or to NULL during the setup of the source PC. If you don't set the password to be blank or to NULL, errors result when SysPrep's mini setup wizard runs during a cloned system's initial system boot.
You might think that to set the password to be blank or to NULL would create a security race condition in which an intruder could tamper with the system on the network before you had a chance to reset the password, but such isn't the case. The first time you boot the cloned system, SysPrep's mini setup wizard requires you to reset the password. You can reset it manually by answering the wizard's dialog box or by using a predefined configuration file that the mini setup wizard recognizes.
When you install and configure the OS to your liking, the next step is to install any applications and third-party services you want to run on each cloned machine. Software such as virus scanners, personal desktop firewalls, management tools, and development platforms are all items that you can install at this point.
Keep in mind that any applications and services that require a user account to operate correctly will fail when you boot the cloned system for the first time. Unfortunately, for now you must install these types of software packages after you first boot the cloned system.
To use SysPrep, you must copy it onto the source PC. Be aware that if you copy the software into an NT system drive root subdirectory, SysPrep will automatically delete itself from the drive once it runs. For example, if you install NT into C:\winnt, installing SysPrep into C:\sysprep will cause SysPrep to automatically delete itself after running. Installing SysPrep in any other directory won't cause it to delete itself from the system.
After you install the necessary services and applications, to run SysPrep, double-click SysPrep's program name in NT Explorer or enter the program name on the command line in a command shell. Command-line options are available to help govern SysPrep's operation. The -quiet command line is an option that tells SysPrep not to display any messages during its operation. The -reboot command line is an option that tells SysPrep to reboot the system after SysPrep completes. Additionally, you can specify a script filename on the command line that tells SysPrep where to locate predefined parameters. Table 1, page 88, shows SysPrep's definable parameters.
Remember that to use SysPrep, you must use the Select licensing version of the NT installation CD-ROMs (or override the detection mechanism for the Open or Enterprise versions). When you use the Select CD-ROMs to install NT and run SysPrep, the program will present a dialog box asking you for your organization name, volume license agreement contract number, type of volume license, and license count. After SysPrep confirms the information you entered, SysPrep terminates, and you can use a third-party disk-cloning tool to clone the source PC to other hard disk. After you insert a cloned hard disk into a computer—either a disk image or a physical disk—and power it on, the cloned system will boot and automatically run the SysPrep-generated mini setup wizard.
The wizard will prompt you for information that you can easily script by defining parameters in a script file. SysPrep doesn't display dialog boxes for user input when it uses the script file, which lets the mini setup wizard run uninterrupted. After the mini setup wizard completes, the system is ready for you to use.
Clone a few test machines before you roll out an entire group. You might find subtle system configuration errors that you need to correct. Be aware that SysPrep might change system security settings during its execution, so you need to examine the system security settings carefully after the system boots for the first time and before you use the clones in a secured production environment.
About Time?
It's about time Microsoft offered official support for cloned systems. SysPrep is an effective SID generator and I'm happy to know it will be available for Win2K. But I have two things on my wish list for SysPrep. I hope to see a future version that lets third-party vendors hook into the mini setup wizard to simplify cloning unique service accounts. I also hope Microsoft loosens the licensing requirements for this timesaving tool. Then, SysPrep can help smaller shops keep down their total cost of ownership (TCO).
)
Register
Karl Burgdorf January 25, 2002