SCCM 2007 troubles with duplicate SID’s

I was installing SCCM 2007 SP2 with R2  on a network, where they were using SMS 2003. This was a side-by-side upgrade.  Defined boundaries, enabled the automatic Client Pushing, no problem.

The clients were installing nicely, the Deployment Report showed a 97% successrate of installing, but only 10% of the clients were presented as “Client installed: Yes”.

What happened to the other 90% then? The ConfigMgr Clients were installed, but they weren’t reporting correctly.

After running the Report  “Computers that may share the same unique SMS ID” , the other 90% showed up… with same ID’s.

Apparently, the sysadmins used Ghost for cloning their workstations, and did not use sysprep in the process. Although there is some discussion about the impact of having duplicate machine SID’s in your domain, it is still very clear that for instance WSUS and SCCM are not too happy about this.  That’s because they create their own WSUS-ID and SCCM-ID, based on the Machine SID.


So how to go about then? Running NewSid.exe on all of the computers is not an option, because:

– It takes too long ( up to 45-60 minutes per workstation)

– It’s not supported by MS. They say: Use sysprep, no other option.

First i made a script to delete all the smsconfig.ini files on the workstations, and then restart the SMS Agent Host service on the computers. But alas, this was not enough…

I was looking for some way to change only the SCCM ID, when I stumbled across this website that contains the tool SCCM Client Center, by Roger Zander.

It turned out to be exactly what i needed, with this i could make a connection to all workstations, remove the ID, restart the SMS Host Agent service on the machine, and all was good.

Quite a bit of work, doing this for about 900 computers, but hey, what are interns for? 🙂


3 Responses to “SCCM 2007 troubles with duplicate SID’s”

  1. Unable to connect to WMI on remote machine « Rikkos's Blog Says:

    […] Rikkos's Blog Just another weblog « SCCM 2007 troubles with duplicate SID’s […]

  2. Brian Says:

    Hello, I read Marks article and think that everybody has gone over the edge with thinking duplicate SID’s are not an issue? We are having major headaches with our WSUS server and our old SMS 2.0 software as well as Dameware because of what appears to be duplicate SID issues. For instance from what I have read about WSUS it pulls its WSUS id from the Machine SID. So when we looked into that we found that we have over 500 machines that have the same WSUS id and they are not functioning correct for reporting or installing updates. Is there anything official out there from Microsoft that says Duplicate SID’s dont affect anything? Because I think their should be some clarification to point out Mark was only speaking from a security stand point and that SYSPREP still needs to be run on every pc in an NT enviornment. Please post any guidance you may have. Thanks

    • rikkos2 Says:

      Purely from a security and AD- point of view, duplicate SID’s are not such a big problem as people always thought it was.
      Problem is that many applications depend on unique Machine SID’s for creating their own SID-related ID’s, such as WSUS and SCCM.
      For WSUS, check this link for a nice solution

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: