Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.
Problem description
After several ECS instances are created using the same Windows Server image, the instances cannot access the AD domain or join the AD domain at the same time.
Cause
Several instances that use the same Windows Server image have the same computer security identifier (SID,Security Identifier) and therefore cannot access each other's AD domains. In this case, you need to modify the SID of the instance and then create a domain environment.
Solutions
Take note of the following items:
- Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
- Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
- If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.
How to Batch Create Instances with Different SIDs
You can use the latest public image to create an instance because the latest public image has fixed this issue.
How to modify the SID of a Windows instance
sysprep
commands built into the Windows system can remove specific system info from installed Windows images, including SIDs. This topic uses the PowerShell
AutoSysprep.ps1
script file and uses the built-in sysprep
command to modify the SID of a Windows instance. Note that the sysprep
command restores the User Profile to the default value. After the sysprep
command is executed, the files created on the desktop are deleted. If you want to automatically delete the script after fixing the fault, you can place the file on the desktop for execution.
- Create a snapshot for the system disk of the instance. For more information, see Create a snapshot.
- Log on to the instance. For more information, see Connect to a Windows instance from a local client.
- Log on to the system terminal and run the
powershell
command to enter the PowerShell interactive mode.
Note: You must run the
powershell
command as an administrator. - Run the
cd\
command to switch to the root directory of the C disk. - Run the following command to view the SID of the system:
whoami /user
If an output similar to the following one is displayed, Python is installed. - Download the AutoSysprep script tool and upload it to the C disk of the instance by using the following link.
AutoSysprep script tool - Go to the directory where the
AutoSysprep.ps1
script tool is located and run the following command to view the description of the script tool:.\AutoSysprep.ps1 -help
The following table describes the parameters. For more information, see More information. - Run the following command to run the script:
.\AutoSysprep.ps1 -SkipRearm -Password "[$Password]" -PostAction "reboot"
Note :[$Password] specifies the password that you want to specify.
- Wait for a while and log on to the instance again.
Note: If you are using a classic network type instance, you need to use the management terminal to connect to the Windows instance. After the configuration is completed, the network can be connected.
- Run the following command to confirm that the SID of the system has changed: Then, you can use the ECS instance to build an AD domain environment.
whoami /user
References
The following describes the parameters of the AutoSysprep.ps1
script tool:
- -SkipRearm parameter: retains the Windows operating system to the current licensing status. If this parameter is not added, AutoSysprep restores the Windows instance to the original license status.
- -Password parameters: Reset the password for the instance. The password rules are as follows.
The password must be 8 to 30 characters in length and cannot contain a slash (/). It must contain three of the following character types: uppercase letters, lowercase letters, digits, and special character. Some special character are shown below. The default value of the-Password parameter is randomly generated by AutoSysprep.Note: If you forget to set the password, you can reset the password in the ECS console after you change the system SID.
( ) ` ~ ! @ # $ % ^ & - _ + = { } [ ] : ; '<>,. ? /
- -Hostname parameters: Reset the hostname for the instance. The hostname limits are as follows:
The hostname characters in length is 2 to 15, periods (.) are not supported, and cannot be all numbers. It cannot contain periods (.) or contain only digits. Periods (.) and hyphen (-) cannot be used as start-end characters, and cannot be used continuously. The default value of the-Hostname
parameter is randomly generated by AutoSysprep. - -PostAction parameters: the subsequent operations after the script is run. The options are described as follows.
- shutdown: the default option. Stop the instance after you modify the SID of the instance.
- reboot: reboot the instance after you modify the SID of the instance.
- quit: The instance remains inside the instance after the SID is modified.
- -help Parameters: For more information about the script tool, see the custom parameters that use AutoSysprep.ps1.
An error occurred when the Windows Server 2008 system viewed the script description.
Problem description
Run the following command to view the description of the script:
.\AutoSysprep.ps1 -help
If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:
Solution
Run the following command to add permissions:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
When the Windows Server 2008 system runs the script, the prompt is not digitally signed.
Problem description
Run the following command to run the script:
.\AutoSysprep.ps1 -skiprearm -postaction "reboot"
If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:
Solution
Log on to the system terminal and run the following command to run the script:
powershell -executionpolicy bypass -file c:\AutoSysprep.ps1 -skiprearm -postaction "reboot"
Note: If no specific requirements are required, AutoSysprep randomly generates a password and a hostname.
Applicable scope
- Elastic Compute Service (ECS)