Duplicate Machine SID’s are not an issue except when they are an issue.

I came across an article on InfoWorld about a blog post from a Microsoft tech regarding Windows Machine SID’s and the myths that surround them.  The InfoWorld article is mostly fluff, but the blog post is well worth the read.  Basically, machines that are imaged without being sysprepped usually have the same machine SID’s.  It’s long been believed that this is a security issue.  It turns out that’s not the case.  Machines can be on the same network with the same SID”s if the machine is not already connected to a domain, not going to be promoted to a Domain Controller, and if there isn’t an application that reacts badly to it.  (The example given is applications that use the Machine SID as their own ID’s.)  The bottom line is that machines SHOULD BE SYSPREPED to prevent any known and unknown issues.  Also, Microsoft will not support machines that don’t have unique SID’s.  Sysprep is easy to run.  Don’t slack off just because it might not cause a problem.

The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn’t fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.

I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft’s support policy will still require cloned systems to be made unique with Sysprep.

You can read the full article here.

You should also read this follow-up post by Microsoft tech Aaron Margosis that explains the difference between Machine SID’s and Domain SID’s.  The key statement in his post: “So while it’s OK to clone a system before it joins a domain, doing so after it joins a domain (and is assigned a domain computer account and a corresponding domain SID) will cause problems.”

Advertisement

My boss: “We should research Desktop Linux.”

What????  My boss dropped this bomb on us last week.  I was shocked.  There was no context for that remark.  No one had brought this up seriously before.  There was talk about migrating from Netware to AD.  There was talk of VDI.  There was even a rumor about Macs.  But this was new.  My first thoughts were:

• how well did my boss think this out?
• Am I willing to go to war with our users?
• Am I willing to take such a high profile risk for really no return?
• There’s a good chance that this is going to suck.

After the meeting adjourned, I took a moment to find out when Windows XP goes “End of Life.”  It turns out that XP goes End of Life April 8, 2014.  Also, I don’t foresee a justifiable reason to upgrade to Vista in the next three years.  That means that a Desktop Linux project doesn’t make financial sense until at least 2011.  That gives us three years to migrate off of XP.

I took the rest of the day to think about it and brought it up the next day.  I found out that my boss hadn’t really thought about it at all.  He was just throwing the idea out there as something to think about long term.  He understood my point of view and I think that’s going to be the end of that for a while.

Coincidentally, that afternoon I received the InfoWorld Editors Newsletter titled Is Desktop Linux for Real? from Steve Fox at InfoWorld.  Freaky huh?

Virtual Desktop Infrastructure, Client Consolidation, and Blade PC’s… Oh My!

I’ve begun researching VDI because I believe that the PC is no longer necessary in medium to large environments that can operate with less than workstation class performance.  The potential advantages of replacing PC’s with Thin Clients that connect to full fledged XP installations are compelling.  I’ve been researching all of this for a couple weeks now, and I have to say that VDI, CCON, CCI, is in a pre-1.0 state.  I’ll explain it all below.

There are three terms going around to describe Client Consolidation technology.  They are:

• VDI: Virtual Desktop Infrastructure
• CCON: Client Consolidation
• CCI: Consolidated Client Infrastructure

They all essentially mean the same thing.  My definition of CCON is centralizing desktop/PC systems by hosting them in the data center.  All computing functions other than KVM are hosted and managed in a computer room away from the user.  The user uses a client device or application to access the centralized computer.  There are multiple terms battling to be the methodological name for this technology.  VDI was the first term that I saw used.  VDI is the trendy name in my view, and has been co-opted by VMware and turned into a product.  CCON is the name used by an IBM employee named Massimo Re Ferre’ who is a heavy contributor to VDI technology research.  Client Consolidation happens to be the name of IBM’s implementation of VDI (what a coincidence).  CCI is a product name used by HP after they abandoned the use of VDI.  Another name that’s out there is “Centralized Computing.”  Centralized Computing is the term used to define the days of mainframes and dumb terminals. 

My preference for the academic name of this technology is Client Consolidation (CCON).  I believe that CCON is the most descriptive, most open name of all.  CCON is general enough to encompass all of diverse technologies in this area.

There’s a lot of overlapping information and noise out there.  I want to explain the bottom line as I see it.

The technology “models” (Re Ferre’, 2007) for CCON are:

• Shared Services (Citrix)
• Virtual Machines (VMware, Xen, others)
• Blade PC’s/Blade Workstations (HP, ClearCube)

You will ultimately have to select one (or more) of those methedologies for a production rollout.

Client consolidation is all about the use of RDP to connect to Windows systems.  RDP is what it’s all about (some solutions prefer/support ICA).   If you know how to use Remote Desktop, you’re most of the way to understanding what CCON is all about.   Everything after this is about services and features built around the use of RDP accessed Windows systems (VM’s, Blade PC’s).

The components of CCON are:

• Client Access Devices (thin clients, repurpossed PC’s)
• Connection Broker (software)
• Host Systems (VM’s, Blade PC’s)

 

Client Access Devices are straight forward.  You need a device that can understand how to connect to remote systems using RDP.  The client device can be a full blown XP/Vista PC, or a thin client running the proper client software.  You’re going to hear a lot about Windows XPe in this space.  XPe is a stripped down version of Windows XP often used for development and loaded onto many thin clients. 

Host systems are also straight forward.  You can run your XP/Vista/Other hosts as VM’s or on Blade PC’s.

Connection Brokers is where all the fun is.  Connection Brokers handle the setup, and advanced features of CCON.  Brokers decide (based on policy) which VM/Blade should be assigned, the features that are available to the user, and in some cases the robustness of the service.  I think of Brokers as travel agents.  A client shows up to the broker with a request.  The Broker knows how to handle the request based on requirements and makes all of the arrangements including the connection.  The broker is usually finished at that point, though the broker is an intermediary in some solutions.

That’s basically what CCON is all about.

CCON is barely at a 1.0 level.  There’s very little information out there (other than Citrix) and all of the solutions are patch up jobs.  There’s no long standing, widely accepted solution.  Most of the solutions that I have found have been assembled piecemeal.  The absolute best information that I have found comes from Massimo at http://it20.info/misc/brokers.htm.  He’s created a table with extensive descriptions of all the features he’s been able to confirm for brokers and clients.  It’s not a complete list of brokers and features, so do your own research and testing (HP SAM, IBM TMP missing).  Regardless, it is a must read if you are going down the CCON road.

Two other items of interest are VMware’s VDI forum and HP’s CCI forum.  Notice that there is very little activity at those forums.  That’s because most people still aren’t working on this.  Also, VMware’s product is in Beta.  That’s right…VMware’s broker is vaporware, yet they’re calling it VDM 2.0.  Now that’s good marketing.

That’s it for now.  Please let me know if you have any questions or if you have something to add.  There is so much information out there that I’m positive there is more to come.

InfoWorld: Windows Vista, the Wow hasn’t started yet.

This InfoWorld article says that fewer companies are planning to upgrade to Vista in the short term than even a few months ago.  They are basing this on a survey by Patchlink Corp.  I don’t trust Patchlink’s numbers, but I believe the conclusion is correct. 

There is no excitement for Vista.  I don’t know anyone that is upgrading to Vista or has Vista on their radar.  Vista doesn’t really provide anything useful to business customers.  It’s not worth the pain of upgrading.  My sense is that my company can easily run XP for at least 2 more years.  One reason for this is that XP is very stable (in our protected environment).  Another reason is that most apps developed over the next couple years will be XP compatible.  A third is that more apps are being ported to a browser every day.  I don’t need much more than a functional browser.

 Somebody should let me know when the Wow is going to start.

Microsoft Surface looks AWESOME! (Pics and Info)

 Microsoft released information on a new product tonight and it looks amazing.  It’s a 30″ tabletop screen with touch screen abilities.  It works similar to the holographic screens in the movie Minority Report, though it’s much more primitive.

 Microsoft has posted a fact sheet and FAQ’s, but I can’t link to anything other than the site because it’s all Flash based.  Microsoft describes Surface as:

“A 30″ display in a table like form that’s easy for individuals or small groups to interact with in a way that feels familiar just like the real world.  Surface can simultaneously recognize dozens and dozens of movements such as touch, gestures, and will be able to recognize actual unique objects that have identification tags similar to bar codes.”

“Surface will ship to partners with a portfolio of basic applications, including photos, videos, virtual concierge, and games, which can be customized to provide their customers with unique experiences.”

Here’s what I take from this announcement:

• Surface runs on Vista. 
• Microsoft appears to be the HW manufacturer on this.   I doubt that they could have kept this secret if they relied on others for HW.
• Surface is Windows Tablet Edition on steroids.
• The announcement says that Surface will be available for some businesses at the end of the year.

I am very excited about this announcement.  It didn’t seem like anyone could deliver a product like Surface in the near future, and it appears that Microsoft will.  This is an important step in the death of the mouse.  I wonder what the price on this will be.  It will probably be expensive if MS is targeting businesses.  I’d put it in the $3,500 to $5,000 range for businesses.  It’s probably in the area of $1,500 for consumers.  Gizmodo claims that the price is $10,000 with an expectation of a huge price drop over 3 years.  Of course, this is all assuming that MS can deliver on it’s promises.  I’ve got pictures posted after fold.  Microsoft Surface

Update: An excellent video presentation of Microsoft Surface.

Continue reading →

Microsoft is Dead. Long Live Microsoft.

Last night I saw an article pop up on Digg titled: Vista sales propel Microsoft’s profits to almost $5 BILLION.  It states that “Microsoft Corp. posted a 65 percent rise in quarterly profit Thursday, topping Wall Street estimates thanks to better than expected demand for its new Windows Vista operating system.”

What?  This can’t be true.  Some guy on the Internet just announced that Microsoft Is Dead.  Then some more people got together, declared victory for Apple (Apple’s role in Microsoft’s downfall), and pissed on Microsoft’s grave (gotta love Slashdot).

The blogosphere loves bombastic, NY Post worthy headlines about Microsoft’s demise; especially where Apple fanboys hangout.  The fact of the matter is that Microsoft is flawed, but fine.  Microsoft isn’t going anywhere.

Here’s a prediction on the future of the home PC/OS.  Apple and Microsoft will both have a stake in it, and a large number of Mac buyers will kick in a few extra bucks to run Parallels/Fusion/Boot Camp/etc..  People will do this because they still want to run their Windows apps as seamlessly as possible while playing with their Apple toys.

Windows Vista Ultimate Headache

Let me preface this by saying that I am primarily a Windows user.  I like Microsoft software in general.  I have made a living off of supporting Microsoft software for a long time.  I have no grudge with MS and I hope Vista is successful.  It needs to be.  That said, my head hurts when I think about upgrading to Vista HomePremiumBusinessUltimateSupersize Edition. 

 Yesterday I got my first call from an acquaintance that had a botched install.  He tried to install Vista Ultimate on a Dell XPS 400.  Something went wrong somewhere in the process and the machine would not boot past a Disk.sys error.  He spent an hour on the phone with Microsoft.  MS suggested that he had a dead hard drive.  Bewildered, he called me.  I tried to work through it with him, but he was in his car and couldn’t get in front of the machine.  There are many possible complications to the problem:

• Inexperienced user
• Upgrade version of the software
• 1,000,000 possible driver/hardware/OS compatibility issues
• USB Keyboard
• Couple other things I forgot

He asked about calling the “Geek Squad.”  I thought that could work, though at $250 for a home visit it’s expensive.  I’m sure I’ll be hearing from him on Monday. 

 Vista has been out less than a week and I am already getting calls.  I’m trying to figure out if that’s a good thing.

 Update: There appears to be something to this Dell-Vista problem.  I see that people are finding my post with the search terms below.  If anyone has advice, please let me know.  Thanks!

disk.sys vista	1
dell xps disk.sys windows vista	1
vista disk,sys error	1