10

I've been researching WDS and other imaging tools, and the best practice seems to be to sysprep the master machine before imaging.

However, where I've been working they simply build a machine then use Ghost to create an image. I asked them about sysprep, and they said it just causes problems. They've been doing it this way for years, and it seems to be working.

Is sysprep necessary? What can happen if you don't sysprep?

NOTE: I'm currently deploying XP, but if there are issues specific to Vista/7 I'd be interested to know what they are.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
Eric Haskins
  • 257
  • 1
  • 3
  • 11

6 Answers6

10

Sysprep allows you to do the following:

  • Generates a new computer SID
  • Set a new computer name
  • Clear out event logs
  • Run mini setup to deal with hardware differences

Sysprep isn't necessary, as long as you change the SID and computer name. It's also a good idea if the hardware you're deploying to is the same or similar.

There are tools that you can use to change the SID so you don't need to run sysprep.
Ghost has a utility called ghostwalker. There's also NewSID which is a sysinternals tool.

Chris S
  • 77,337
  • 11
  • 120
  • 212
Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
  • I've been using NewSID for some time with great success. This avoids having to activate each time a new image is copied... – Dscoduc Sep 08 '09 at 21:34
  • Oh yeah, if you call up Microsoft Support and mention that you used a SID changing tool they will tell you it's unsupported... Sysprep is the only supported solution for OS duplication. – Dscoduc Sep 11 '09 at 05:18
  • 8
    http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx Changing SSIDs is actually been found to be useless. Its never used outside of the actual computer (so it doesn't matter if they are the same) and NewSID has now been depreciated. – Shial Nov 25 '09 at 13:30
  • Note with the above that it's only the local machine SID that's irrelevant -- it's still extremely important that every system in a forest have a unique domain SID. Since this has nothing to do with NewSID, though, I'm probably being pedantic. – jgoldschrafe Feb 16 '11 at 03:05
  • 1
    Don't forget the CMID part in a KMS environment - no sysprep generalize then no KMS client + – Chadddada Feb 18 '11 at 18:54
6

http://oem.microsoft.com/public/seo/sysprep.htm

Microsoft does not provide support for computers that were set up with SID duplicating tools other than the Sysprep tool.

I always sysprep using the recommended documented way, because it's recommended and documented. Picture this: you're having a bunch of issues with your PCs, you call PSS, you happen to mention in the course of the call that you didn't sysprep them. Are PSS gonna want to touch you with a 10 foot pole? Or are they gonna tell you to set up the machines the correct way, see if the issues recur, then call them back?

Seriously, doing things the right way can put you in a position where your environment is supported. That's more than worth any number of shortcuts in my book.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36
  • Funny they'd not support it if they supply NewSID also...? – Bart Silverstrim Sep 08 '09 at 11:56
  • 1
    I'd assume NewSID is not intended for production environments. Ah yes: http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx and http://support.microsoft.com/default.aspx?scid=kb;EN-US;314828 – Maximus Minimus Sep 08 '09 at 14:42
5

Something I don't see people talking about is KMS in relation to sysprep. If you are planning on deploying a bunch of Windows 7 boxes, using KMS to license them, then you will have problems with the KMS server incrementing the count to activate. When you run sysprep you also create a unique CMID, in addition to the SID. The CMID is used with KMS to increment your count.

For example if you want to acivate your B license, you will need 25 machines with a unique CMID to checkin with the server. I have seen this issue popping up with people who have been deploying images to large sets of computers and who haven't been running sysprep w/ the /generalize and are new to deploying Windows 7.

Just a heads up! Not sure if this relevant to you yet but if you go KMS then this may bite you.

Chadddada
  • 1,670
  • 1
  • 19
  • 26
1

I'm one of those who doesn't like sysprep. I've also simply been using either Ghost or Drive Image images of machines and never had a problem doing so. Regardless of which way you go the target machine will need a unique name. For me it's no big deal to spend 30 seconds per machine to rename it. I've looked into the various ways machine names can be supplied during set up but regardless of whether it's a cold install, a complete image or using sysprep, nothing fits my preferred naming scheme, so I may as well just do it manually. The SID has never been an issue for me as I join the machines to the domain as the last stage of deployment.

Disclaimer: I've never had to set up more than about half a dozen machines at a time. If I was working with something like classrooms I would definitely use a more automated method.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
1

The only practical issue I am aware of is that local accounts on one machine will have NTFS permissions on the others. This would definitely be an issue for clients, especially with worms spreading over admin shares, or just nosey clever people.

I've seen a number of Citrix MetaFrame servers at a previous workplace had the same SID - the Altiris tool hadn't been working right. These were maybe 20-odd HP blades, and had been in production for months. I'm not aware of any faults which could have been traced to the duplicated SIDs.

Names are another issue - your co-workers must be renaming machines or they couldn't join the domain.

Don't forget to clear out event logs and delete any system restore points before making the image.

Disadvantages of Sysprep on XP include all the new-user nonsense Microsoft litters the desktop and start menu with - media player icons, the windows tour, that $@%&!! search puppy... all this can be controlled with group policy, but I can understand why you would choose to avoid it altogether.

New user profile behaviour also changed with SP3 on XP, whether it was based on the Administrator's profile or not - more stress for those who already had a working deployment system prior to this.

Mini-setup on some ThinkPads (T61 and newer) can take like ten full minutes to finish setting up the network - this is time that could be better spent reading Server Fault.

nray
  • 1,540
  • 17
  • 23
  • I don't see how it could cause a problem with admin shares at all -- you still need to authenticate. If you could just provide your SID and authenticate to a remote share without providing a valid Kerberos ticket, it would be a security nightmare (think NFS). This should only affect shared disks, like if for some reason you were moving external drives from one system to another and local user permissions were important. – jgoldschrafe Feb 16 '11 at 03:08
0

Most of the time I Sysprep the destination machine after I bring it back up because it is more convenient, minimizes the time the source machine is down and I don't have to go through the configuration on it.

If you don't Sysprep you will end up with machines with the same SID, which is what Windows really uses to identify a machine, not the "pretty" name, DNS name or IP address.

Keith Stokes
  • 907
  • 5
  • 7
  • But, what issues does that cause. From what I've seen it doesn't cause any issues. – Eric Haskins Sep 07 '09 at 22:52
  • If machine1 and machine2 have the same SID, machine3 won't know which one is which. – Keith Stokes Sep 07 '09 at 23:42
  • Adding 2 machines with the same SID but different names will result in issues with Active Directory; also, permissions are tied to SID's. On domains you won't see it as much but it can still lead to issues with head-scratching related to file ownership/ACL's. – Bart Silverstrim Sep 08 '09 at 01:57
  • 1
    Domain SIDs and machine SIDs aren't the same thing, though. Domain SIDs are generated at domain-join time. Machine SIDs have nothing to do with Active Directory and aren't tied to anything besides local user accounts and their corresponding NTFS ACLs. – jgoldschrafe Feb 16 '11 at 03:09