All Products
Search
Document Center

Modify the SID of a Windows instance to build a domain environment

Last Updated: May 10, 2022

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.

Problem description

After several ECS instances are created using the same Windows Server image, the instances cannot access the AD domain or join the AD domain at the same time.

Cause

Several instances that use the same Windows Server image have the same computer security identifier (SID,Security Identifier) and therefore cannot access each other's AD domains. In this case, you need to modify the SID of the instance and then create a domain environment.

Solutions

Take note of the following items:

  • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
  • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
  • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

How to Batch Create Instances with Different SIDs

You can use the latest public image to create an instance because the latest public image has fixed this issue.

How to modify the SID of a Windows instance

sysprep commands built into the Windows system can remove specific system info from installed Windows images, including SIDs. This topic uses the PowerShell AutoSysprep.ps1 script file and uses the built-in sysprep command to modify the SID of a Windows instance. Note that the sysprep command restores the User Profile to the default value. After the sysprep command is executed, the files created on the desktop are deleted. If you want to automatically delete the script after fixing the fault, you can place the file on the desktop for execution.

  1. Create a snapshot for the system disk of the instance. For more information, see Create a snapshot.
  2. Log on to the instance. For more information, see Connect to a Windows instance from a local client.
  3. Log on to the system terminal and run the powershell command to enter the PowerShell interactive mode.
    Note: You must run the powershell command as an administrator.

  4. Run the cd\ command to switch to the root directory of the C disk.
  5. Run the following command to view the SID of the system:
    whoami /user
    If an output similar to the following one is displayed, Python is installed.

  6. Download the AutoSysprep script tool and upload it to the C disk of the instance by using the following link.
    AutoSysprep script tool
  7. Go to the directory where the AutoSysprep.ps1 script tool is located and run the following command to view the description of the script tool:
    .\AutoSysprep.ps1 -help
    The following table describes the parameters. For more information, see More information.

  8. Run the following command to run the script:
     .\AutoSysprep.ps1 -SkipRearm -Password "[$Password]" -PostAction "reboot"
    Note :[$Password] specifies the password that you want to specify.
  9. Wait for a while and log on to the instance again.
    Note: If you are using a classic network type instance, you need to use the management terminal to connect to the Windows instance. After the configuration is completed, the network can be connected.
  10. Run the following command to confirm that the SID of the system has changed: Then, you can use the ECS instance to build an AD domain environment.
    whoami /user

References

The following describes the parameters of the AutoSysprep.ps1 script tool:

  • -SkipRearm parameter: retains the Windows operating system to the current licensing status. If this parameter is not added, AutoSysprep restores the Windows instance to the original license status.
  • -Password parameters: Reset the password for the instance. The password rules are as follows.
    The password must be 8 to 30 characters in length and cannot contain a slash (/). It must contain three of the following character types: uppercase letters, lowercase letters, digits, and special character. Some special character are shown below. The default value of the-Password parameter is randomly generated by AutoSysprep.
    Note: If you forget to set the password, you can reset the password in the ECS console after you change the system SID.
    ( ) ` ~ ! @ # $ % ^ & - _ + =  { } [ ] : ; '<>,. ? /

  • -Hostname parameters: Reset the hostname for the instance. The hostname limits are as follows:
    The hostname characters in length is 2 to 15, periods (.) are not supported, and cannot be all numbers. It cannot contain periods (.) or contain only digits. Periods (.) and hyphen (-) cannot be used as start-end characters, and cannot be used continuously. The default value of the -Hostname parameter is randomly generated by AutoSysprep.
  • -PostAction parameters: the subsequent operations after the script is run. The options are described as follows.
    • shutdown: the default option. Stop the instance after you modify the SID of the instance.
    • reboot: reboot the instance after you modify the SID of the instance.
    • quit: The instance remains inside the instance after the SID is modified.
  • -help Parameters: For more information about the script tool, see the custom parameters that use AutoSysprep.ps1.

An error occurred when the Windows Server 2008 system viewed the script description.

Problem description

Run the following command to view the description of the script:

.\AutoSysprep.ps1 -help

If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:

Solution

Run the following command to add permissions:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

When the Windows Server 2008 system runs the script, the prompt is not digitally signed.

Problem description

Run the following command to run the script:

 .\AutoSysprep.ps1 -skiprearm -postaction "reboot"

If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:

Symptom

Solution

Log on to the system terminal and run the following command to run the script:

powershell -executionpolicy bypass -file c:\AutoSysprep.ps1 -skiprearm -postaction "reboot"

Note: If no specific requirements are required, AutoSysprep randomly generates a password and a hostname.

Applicable scope

  • Elastic Compute Service (ECS)