All Products
Search
Document Center

ECS Windows SID modification operating instructions

Last Updated: Nov 15, 2018

This topic describes how to use the PowerShell script AutoSysprep.ps1 to modify the system Security Identifier (SID) of a Windows instance. For multiple instances launched by using the same Windows Server 2008, Windows Server 2012 or Windows Server 2016 image, you can modify the SID of the instances according to this topic before you build an AD domain environment.

Symptom

After multiple ECS instances are created with the same Windows image, they cannot access the AD domain mutually, or cannot join the AD domain simultaneously.

Analysis

Instances created with the same Windows image have the same SID, so they cannot access the AD domain mutually. In this case, you must modify their SIDs before building the AD domain environment.

How to modify the SID of a Windows instance

Windows has a built-in command sysprep, which allows you to delete specific system information (including the SID) from the installed Windows image. The PowerShell script AutoSysprep.ps1 mentioned in this topic can modify the Windows SID by using the command sysprep. In particular, sysprep may recreate the User Profile, so the files saved on the desktop may also be deleted. Therefore, if you want to delete the script automatically after fixing the issue, you can put the file on the desktop for execution.

  1. (Recommended) Create snapshots for a system disk to avoid system crash due to unexpected failure.

  2. Connect to a Windows instance.

  3. Start CMD.

  4. Run the command powershell to enter the PowerShell interactive mode.

    Note: You must run PowerShell with administrative permission.

  5. Run cd\ to switch to the root directory of drive C.

  6. Run whoami /user to view the current SID.

  7. Download the script AutoSysprep to drive C. If your instance can access the Internet, run the following command to download the AutoSysprep.

    1. wget http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/40846/cn_zh/1542198598487/AutoSysprep.ps1 -outfile AutoSysprep.ps1
  8. Run .\AutoSysprep.ps1 -help to view the script description.

    View the script description

    Parameter description:

    Parameter Description
    -SkipRearm Specifies that the Windows licensing state will not be changed. If this switch is not added, Windows licensing state is restored to the initial and out-of-box licensing state, and the licensing settings are restored to their defaults.
    This is the default value.
    -Password Resets the password for the instance. Convention:

      The password can be [8, 30] characters in length. It must contain uppercase letters, lowercase letters, and numbers. The following special characters are allowed: ()`~! @#$%^&*-+=|{}[]:;‘<>,.? /. A slash (/) cannot be the first character of Windows instances administrative password.

    Default value: Random.

    Note: If you forget to specify a new password for the instance, you can reset an instance password in the ECS console after the SID is changed.
    -Hostname Resets the host name of the instance. Naming convention:

      It cannot start or end with a period (.) or a hyphen (-) and it cannot have two or more consecutive periods (.) or hyphens (-). The host name can be [2, 15] characters in length. It can contain A-Z, a-z, numbers, periods (.), and hyphens (-). It cannot only contain numbers.

    Default value: Random.

    -PostAction What to do next after the SID is changed. Optional values:
    • shutdown (Default): Stop the instance.
    • reboot: Restart the instance.
    • quit: Only exit from the script execution and stay in the instance.
  9. Run the following command to execute the script. The Aliyun1! is the new password for next remote connection, you can use other user password if needed.

    1. .\AutoSysprep.ps1 -SkipRearm -Password "Aliyun1!" -PostAction "reboot"
  10. Connect to the Windows instance again.

    Note: For classic network-connected instances, you may need to connect to the instance by using the Management Terminal for configuration, so that the network is accessible.

  11. Run whoami /user to view the SID again.

    NewSID

If the modification is successful, you can now build the AD domain environment with the ECS instance.

How to create multiple instance with different SID

For batch deployment, follow these steps to avoid executing the script repeatedly:

  1. Modify the SID of one instance by following the steps 1 to 8 in How to modify the SID of a Windows instance.

  2. Run the subsequent command to execute the script. The Aliyun1! is the new password for next remote connection, you can use other user password if needed. After that, the instance is stopped. Do not start it.

    1. .\AutoSysprep.ps1 -Password "Aliyun1!"
  3. In the ECS console, create system disk snapshots for the instance.

  4. Create a custom image through snapshots, and use that custom image to create new instances, or change the OS of other instances to that custom image.

FAQ: Why are errors reported when I view the script description in Windows Server 2008?

Symptom: The following error is reported when the command .\AutoSysprep.ps1 -help is executed.

Symptom1

Solution: Run the following command to remove the limitation.

  1. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

FAQ: How to solve the error of “C:\AutoSysprep.ps1 is not digitally signed” when I run the script in Windows Server 2008?

Symptom: The error indicating the PowerShell script is not digitally signed is reported when the command .\AutoSysprep.ps1 -ReserveHostname -ReserveNetwork -skiprearm -post_action "reboot" is executed.

Solution: Run the following command in CMD. You can also run .\AutoSysprep.ps1 -help to view the parameter description.

  1. powershell -executionpolicy bypass -file c:\AutoSysprep.ps1 -skiprearm -postaction "reboot"

Note: If no special requirements exists, AutoSysprep assigns a random password and hostname for the instance password when you run the preceding command.

If the problem still exists, please open a ticket to contact Alibaba Cloud.