Monday, May 10, 2010

The Same Machine Security Identifier SID

We were provided a number of Server 2008 boxes.  They were able to join a domain, but you couldn't authenticate using domain credentials into the server.

The log contained this message:

The computer or domain SERVERNAME-APP trusts domain DEV.  (This may be an indirect trust.)  However, SERVERNAME-APP and SERVERNAME have the same machine security identifier (SID).  NT should be re-installed on either SERVERNAME-APP or SERVERNAME.

Assess - obtain psgetsid from the sys internals sites then run it on both servers. This should confirm both systems have the same SID.

Resolve - http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-and-windows-server-2008-r2-using-sysprep/ has very clear instructions on how to run SYSPREP (included in 2008).

After sysprep I had to:
  1. connect via console
  2. click US
  3. provide host name
  4. activate it
  5. take it out of the domain it was in, reboot
  6. re-join to the domain, reboot