Duplicate Machine SID’s are not an issue except when they are an issue.

I came across an article on InfoWorld about a blog post from a Microsoft tech regarding Windows Machine SID’s and the myths that surround them.  The InfoWorld article is mostly fluff, but the blog post is well worth the read.  Basically, machines that are imaged without being sysprepped usually have the same machine SID’s.  It’s long been believed that this is a security issue.  It turns out that’s not the case.  Machines can be on the same network with the same SID”s if the machine is not already connected to a domain, not going to be promoted to a Domain Controller, and if there isn’t an application that reacts badly to it.  (The example given is applications that use the Machine SID as their own ID’s.)  The bottom line is that machines SHOULD BE SYSPREPED to prevent any known and unknown issues.  Also, Microsoft will not support machines that don’t have unique SID’s.  Sysprep is easy to run.  Don’t slack off just because it might not cause a problem.

The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn’t fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.

I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft’s support policy will still require cloned systems to be made unique with Sysprep.

You can read the full article here.

You should also read this follow-up post by Microsoft tech Aaron Margosis that explains the difference between Machine SID’s and Domain SID’s.  The key statement in his post: “So while it’s OK to clone a system before it joins a domain, doing so after it joins a domain (and is assigned a domain computer account and a corresponding domain SID) will cause problems.”

Advertisement

Invision Power Board

I support a website for a small organization that needs a web presence.  The site was built in 2000 using FrontPage.  They want to make the site current and add a few features including a discussion forum.  I did a lot of searching to find bulletin board software that had a “news” feature and could be updated fairly easily.  A photo gallery was a plus.  I was pretty well settled on VBulletin, but I didn’t like that I had to pay for software that hadn’t been released yet.  I kept looking around and I started paying more attention to Invision Power.

I recently purchased Invision Power Board and their add-on apps (IP Content, IP Gallery, and IP Downloads).  I couldn’t be happier with the results.  Invisions software met my requirements perfectly.  I was able to build  a front end website with a private board, photo gallery, and download section for forms and documents.

There are two things that make IPB 3 special and unique.  One is that all the software comes from Invision.  I don’t have to purchase unreliable and sparsely supported 3rd party mods.  The other is that the admin tool is very easy to use.  From navigation to configuration, IPB’s admin tool is sophisticated without being complicated.  I feel like Invision has thought about the many requirements of a modern discussion forum, and included them in their software.

IPB is also extremely configurable.  I have been able to change every single setting that I’ve needed to.  Users can also create new settings when needed (though that’s way over my head). 

A lot of people ask the VBulletin vs. IPB question.  In fact, I was one of them.  I tried demos for both VBulletin 3.x and IPB 3.x.  I chose IPB because they had more features that I needed, the IPB admin tool was much better organized, and there was no drama.  I couldn’t be happier now that I’ve seen it in action.

I do have one criticism of Invision.  Their support needs improvement.  They have a 2 day turnaround time for tickets for people with standard contracts.  That’s far too long.  They try to prioritize incidents where the system is completely down.  Invision probably needs to roll out more support options for those that need it.

Windows 7 is OK

I’ve been playing around with Windows 7 for a few weeks now.  I have tried to concentrate on features and configuration because I want to understand how it works, and how Microsoft intends some features to work.  Windows 7 is Vista with a new taskbar and some reaaranged menus. 

I like:

• I like how quickly it installs and boots, though I wonder if it will load as quickly after I install some apps. 
• I like the search feature.  It works well. 
• The “Library” is a good idea, though I bet it’s going to trick some users at first. 
• I also like all the new tools that have been added to the software like powercfg -energy.
• I like how customizable the appearance is.

I don’t like:

• That I can’t open multiple windows by clicking on an icon in the taskbar.  It works if I hold shift.  That’s very annoying.
• Jumplists are meh.
• Features that Microsoft considers major innovations like “Snap” , “Shake“, and “Aero Peek” (which is borderline useless) that are nothing more than minor additions to old technology.
• XP mode only works with machines that have very specific hardware “virtualization” features.
• That’s it not much of an improvement over Vista and the classic Windows platform.
• Microsoft’s online “tutorials” and “walk-throughs” are WEAK, and disorganized, and really frustrating!!!

What does that mean for my companyand I?  An upgrade is likely in the works….  Windows XP is going out of support in a few years (though none of my current HW will be around then).  I want to get off of the old Windows XP platform and so does the IT management in my company.  Users feel like we’re “Out of date” on the desktop and Office (they don’t buy that Office 2007 is the latest version).  This put together with a Microsoft “Enterprise Licensing Agreement” means that we’re moving forward with Windows 7.  I plan to post about my experience with Windows 7 and the upgrade.

Hello Again!

It’s been a while since I posted anything, and I’ve got a few things to day.  Lets see what comes out…

Corporate Lawers at Creative and T-Mobile are like Dumb and Dumber

 Credit to Ryan Block for the image.

Just when I thought corporations and their lawyers couldn’t get any dumber, I’m proven wrong.  There’s been two incidents in the last few days that show just how out of touch most corporations care.  First, Creative sent a Cease and Desist to an independent developer for writing working Vista drivers for some of their products.  (Warning: This post is high on internet dramaboy-ism.)

Then our friends at T-Mobile send a Cease and Desist to Engadget for using the color magenta.  Apparently the color magenta is trademarked property of Deutsche Telekom.  Who knew?  Anyway, Engadget and the Internets are fighting back.  Engadget is “Painting the Town Magenta”  and others are joining in solidarity.  I’m joining in on the fun because I can’t resist a meaningless internet revolt.  Besides, someone has to stand up against the over-excited corporate lawyers. 🙂

So for today, I’m painting the blog magenta.  And I’d like to say to Creative and Deutsche Telekom in the words of Ben Stern: “Don’t be stupid you morons.”

InfoWorld: The MacBook Air is the Starbucks laptop

I just read the InfoWorld review of the Macbook Air.  It’s a good review if you’re considering a MacBook Air.  Here’s the bottom line.  The MacBook Air is a great laptop for showing off at Starbucks and basic computing.  Otherwise, buy something more substantial.  Here’s the two quotes that should tell you if you should consider buying a MacBook Air.

“It’s unfair to classify the MacBook Air as a laptop. It’s not, unless you’re Mini Me. It’s an ultraportable, along the lines of the Sony Vaio TZ, though it has a larger screen than the Vaio. It’s also faster and cheaper.”

“I figured the best place to work with the Air would be a coffee shop, which is essentially its native environment.”

 Want one?  Apple Store

A year on WordPress

The blog has now been up a year.  It has been a fun, interesting, and educational experience.  I’m proud of what I have been to contribute over the last year.  I look forward to another exciting year.  Thanks for being a part of it!!!  Harry

Where do the candidates stand on technology? Most of them won’t tell you.

It’s extremely important for IT guys and gals to understand where the candidates stand on technology issues.  I am going to link to each of their technology pages here.  Overall, I am disappointed with the lack of focus on technology.  The Democrats are much better than the Republicans.  All of the Democrats except Kucinich make a mention of technology or “innovation.”  Barack Obama is the only candidate to feature technology as an issue on his website.  Mitt Romney is the only Republican to have information about technology on his website, but it’s not an issues page.  I linked to it anyway.  Have a look:

Democrats

• Barack Obama: http://www.barackobama.com/issues/technology (Includes speech at Google)
• John Edwards: http://www.johnedwards.com/issues/innovation  (A few sparse comments) 
• Hillary Clinton: http://www.hillaryclinton.com/feature/innovation (Only a couple paragraphs)
• Dennis Kucinich: I can’t find anything obvious or through search.

Republicans

• Mitt Romney: http://www.mittromney.com/News/In-The-News/TechCrunch (Interview with TechCrunch) 
• Rudolph Giuliani: I can’t find anything obvious or through search.  Did somebody say 9/11?
• Mike Huckabee: I can’t find anything obvious or through search.
• Duncan Hunter: I can’t find anything obvious or through search.
• John McCain: I can’t find anything obvious or through search.
• Ron Paul: I can’t find anything obvious or through search.
• Fred Thompson: I can’t find anything obvious or through search.

Based on whether the candidates feature technology, Obama and Romney are the leaders for their party.  Obama is the only candidate to feature technology as an issue, so he is the leader.  If you can find information that should be added, let me know.

I upgraded from ESX 3.0.2 to ESX 3.5 and it was a pain.

I upgraded our ESX servers over the Christmas break.  I had to install a new ESX server, so I took the opportunity to upgrade the rest of our environment.  It was a pain in the ass.  There were a few bugs that caused me problems.  Details below:

I decided to wipe the ESX servers and install 3.5 fresh from the CD.  I did the upgrade from 2.5.2 to 3.0.1 this way and it worked well.  I upgraded the Virtual Center server from 2.0 to 2.5.

VMotion caused me a lot of problems.  I was not able to ping the VMotion port after the upgrade.  This happened to varying degrees on all of the servers.  The last server was the worst.  It was driving me crazy.  I had enabled VMotion and named it properly.  It just would not work.  Eventuall I called support.  They ran vmkping to the IP address of the VMotion port on the server while I pinged the IP address from my workstation.  This seemed to magically enable the VMotion port.  Running just vmkping or just ping didn’t work.  The combination of the two worked for some bizarre reason.

“No Active Primaries” message when I tried to add a server to the Cluster.  This one perplexed me for a while.  It comes from the way clustering works.  Clustering doesn’t work perfectly in mixed 3.0/3.5 environments.  The first server added to a cluster is considered the “primary.”  When I initially created the cluster, ESX1 (server name) was the first server in the cluster.  When I did the upgrade, I took ESX 1 out of the cluster.  It didn’t pass the role of “primary” onto one of the other servers.  So when I tried to add ESX1 back into the cluster, it gave me the “No Active Primaries” error.  I fixed this by removing all of the servers from the cluster and adding them back in.  This thread pointed me towards a solution:  http://communities.vmware.com/message/701671;jsessionid=AA7526EEA3E0EE5EAFAFDB7A761815ED

“Unable to read partition information from this disk”: I got an error like this when I was installing ESX on a machine attached to a SAN with raw drive mappings.  I disconnected the server from the SAN and started the installation over just to be safe.  A good piece of advice… Always disconnect the server from the SAN when you are reinstalling ESX.  There is a decent possibility that you’ll accidentally overright your LUN’s.

 I had some other general problems, but nothing too serious.  Let me know if you have any questions or issues that I can help with.

Happy New Year!!!

2007 was a fun year in technology.  I can’t wait for 2008!