From Mark’s Blog: The Machine SID Duplication Myth

Yes, its official, the problem with Machine SID duplication in the Windows world is a myth (except in some specific circumstances).

Read all about it here:

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

On November 3 2009, Sysinternals retired NewSID, a utility that changes a computers machine Security Identifier (machine SID). I wrote NewSID in 1997 (its original name was NTSID) because the only tool available at the time for changing machine SIDs was the Microsoft Sysprep tool, and Sysprep doesn’t support changing the SIDs of computers that have applications installed. A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right? At least that’s been the conventional wisdom.

The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn’t fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.

I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principal of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID.

Getting the network adapters’ order in Windows

Now, one of the biggest problem for us when deployment new servers is that we want to get everything as automated as possible. One of the most complex to automate is networking configuration. That is, you need to figure out which nic to team and which to set as heartbeat or backup nic, etc. In this, I use nic and network adapter interchangeably.

The most persistent problem is getting a ordered list of network adapters from Windows. Windows itself does not present nics in any order. So your slot 0 (embedded) port 1 could be named as “local area network connection 3″ or called “Broadcom 1GB PCI Ethernet Adapter 4″ and the slot 10 port 2 nic could be named as the first nic. (more…)

Using command line to configure HP Proliant arrays

One of the things we needed to do when deploying a server is that we need to setup the partitions correctly before we deploy it. Of course, we could always load up the smart start utility and perform the RAID configuration. But when you are doing remote deployment, that is, someone in London racked and powered up the server and you deploy it, it not always fun to load the ISO CD image, mostly because of the synchronization of the stupid mouse cursor over the WAN in some locations. And even in locations where the WAN is good, getting the cursor to go where you want to with the smart start it no fun. The other point is also it takes time for Smart Start to run.

So what we did was to include the command line equivalent of the array configuration called hpacucli.exe (you can download this from HP) into our deployment image. We can then launch this from the command prompt after its booted up in WinPE. (more…)

FireFox issues error sec_error_reused_issuer_and_serial

One of the think I hate about firefox is that when you internal certificates like those issued by HP Integrated Lights-Out’s (iLO) web page, you have to confirm to download the cert and add it to your cert store. There is not one-click solution to this as yet and neither can I disable this in FireFox even if I only intend to use it in an intranet environment.

More troublesome is when I update the firmware in my iLO and hence a new cerificate is generated and when you try to launch the web page for iLO access again you will encounter the following error.

Error code: sec_error_reused_issuer_and_serial

It took me a while to figure it out from the googling, but the solution is simply to delete the cert8.db from your FireFox profile, usually found in  C:\Documents and Settings\<yourname>\Application Data\Mozilla\Firefox\Profiles\<yourprofile>. Easier still just search for cert8.db in your computer and delete that file. 

Oh….. you need close FireFox first

Long DHCP lease causes client’s DNS name to disappear

Recently, we found that some servers’ and workstations’ host record (A RR) has been dropped off our DNS servers. All the machines were running a DHCP clients and we are using MS product for both DHCP and DNS.

The DHCP servers are configured to update the host record on behalf of the client. When we checked the scopes, we found that they have a 30 days lease duration. Very quickly it was established that its possible that the host records could have gone stale in the DNS due to the lease duration and got scavenged.

A quick chat with our DNS team and we found our that the DNS servers have a setting of about 14 days before a record is scavenged in a daily routine. Namingly the values are 7 days for non-refresh interval and 7 days for refresh interval.  (see DNS Aging/Scavenging Simplied) (more…)

NICs causing Windows start up issue on quad core CPUs

We had a bunch of HP Proliant DL580 G5 running with 4 x quad core CPUs. With all the cores turned on, this would give us 16 CPUs. When trying to build the servers into Window 2003, we found that Windows startup page (the one with the moving bar at the bottom) would hang and not continue.

After some trial and error, we found that if we disabled “”one-half of cores per Physical Processor” from the BIOS (effective with 8 CPUs), the server would then boot up correct. So we continued with the Windows build and completed building the servers into 32-bit Windows 2003 Enterprise Edition. (more…)

Windows 2000 terminal services which stopped working

We were doing a round of upgrades in our Windows estate and we found that one of the Windows 2000 server had a broken terminal service.

All the following checked out, but the server was just not listening on port 3389:

• terminal services is running (reboot server like a gooogle times) and not error in eventlogs
• no other applications is locking 3389 preventing it from being used
• no ipsec policies was set
• no ipfilter was configured.
• when I run tsadmin on the server (obvious remotely won’t work),  I could see my only session

(more…)

CPU issue causing BSOD 7F (0×0D, 0×00, 0×00) & 9C (0×00,xxx,xx,xx)

We had a strange server that would BSOD regularly with stop codes 7F or 9C, in the later days it was BSODing every 10 mins or so.

So we had the motherboard change and it stop BSODing for about 1 hour and started again!

Diagnostics was ran but all were successful (how typical!) and HP was really reluctant to bring down other parts as the diagnostics showed okay. In fact, this is not the first time I have seen HP servers with good diagnostics but after changing on of the parts, everything is resolved. (more…)

Windows 2000 cannot startup with message “loader error 3

Recently we were going through a upgrade exercise for our entire Windows estate to patch them to out latest security and company specific components. We encountered, so far, two servers that when rebooted, Windows 2000 will not start up and they showed this error

Windows 2000 could not start because of an error in the software. Please report this problem as Loader Error 3.

Starting up in recovery console or safe mode is no hope as we encountered the same error. So this points to a fundamental issue with the Operating System. (more…)

VBScript: nth Day of the month

Recently I needed a function to calculate the nth day of the month, that is, first sunday, 2nd thursday, last friday, etc. I thought such functions would be easy to find in the internet, however, I couldn’t find a complete function and so decided to write one:

Apologise for the formatting, wordpress don’t like programming codes in their blogs (more…)