Safely clone your XP, Win2K, and NT systems with this handy utility
Editor's Note: Portions of this article were adapted from The Definitive Guide to Windows 2000 Administration (Realtimepublishers.com).
Disk-cloning software represents a major step in the evolution of OS deployment automation. With disk-cloning tools, you can configure a master system, complete with configured OS and applications, create a binary image of the system installation (i.e., create a "picture" of the disk's contents), then duplicate that image on other systems. Some utilities even let you multicast an image over the network so that multiple PCs can simultaneously receive a disk image from one or more source servers.
Although these utilities have proven handy for many IT shops, they aren't problem free. Disk-cloning utilities raise concerns about security and machine uniqueness (e.g., SID duplication). Despite these concerns, the tools' overwhelming popularity within the IT community showed Microsoft that disk-cloning products (and their potential problems) aren't about to go away. So Microsoft has embraced the technology and developed the System Preparation tool (sysprep.exe). Sysprep augments rather than replaces the functionality of disk-cloning software and makes using disk-cloning software more efficient and safer.
Disk Duplication Demons
Disk-cloning utilities have been lifesavers for network administrators who need to deploy large numbers of workstations on their networks. But disk-cloning software presents two major problems. First, these utilities require the reference machine (i.e., the machine from which you create the image) to have a virtually identical hardware configuration to the target machine (i.e., the machine that receives the image). Otherwise, you're likely to see a blue screen when you start up the cloned machine. Considering the fairly short life cycle of most PC hardware and the variety of hardware that exists in most companies, this shortcoming limits the usefulness of disk-cloning software.
Second, and more important, disk-cloning software creates a significant security problem when you use it on Windows XP, Windows 2000, and Windows NT systems. When you install these OSs, the installation process assigns the system a unique SID. Because disk-cloning software duplicates the reference machine's disk image after that machine has been assigned a SID, the target machines' SID will be identical to the reference machine's SID.
To understand why SID duplication creates a security problem, consider that each system in an XP, Win2K, or NT environment generates a unique SID that's associated with all the local user accounts. Two machines that have the same SID would assign the same SID to all new user accounts you create on those machines. In this situation, Windows will see the resulting user accounts as being the same—regardless of any differences in the usernames. For example, if you gave the shipping clerk a machine based on the same disk image as the machine you gave to the head of your Accounting department and both users created a new local administrator account on their machine, the shipping clerk would have rights to access anything that the Accounting department head's local user account could access.
Postduplication SID Switching
Disk-cloning software vendors offer a solution to the SID-duplication problem: SID-changing utilities that can modify the SID on a cloned machine. However, I've found that many of these utilities cause residual problems, and many fail to change the SID that's referenced within the registry and file system.
Also, be aware that Microsoft supports cloned machines only under limited circumstances. You need to have cloned a machine before the SID assignment or in conjunction with Sysprep for Microsoft to support that machine. For more information about Microsoft's support of cloned systems, see the Microsoft article "Do Not Disk Duplicate Installed Versions of Windows" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q162001).
Sysprep to the Rescue
Unlike postduplication SID-changing utilities (such as those that ship with most disk-cloning utilities), Sysprep restores machine uniqueness by letting you roll a reference machine back to its pre-SID state after you install all desired software. The first time you start a reference machine after running Sysprep on it, the machine will return to the last stage of the Windows setup process (i.e., the machine and network identification stage), in which the SID is assigned. (Don't run Sysprep on a production system: The utility removes critical configuration information and effectively rolls the system back to a state prior to setup completion. Run Sysprep only on reference systems that you've intentionally set up to provide a template system configuration.)
A benefit to using Sysprep with disk-cloning software is that Microsoft supports machines that you use this method to deploy, so you won't be out of luck if you need to call Microsoft Product Support Services (PSS) for help with a cloned system. I've found that systems cloned from Sysprep-prepared reference systems exhibit fewer problems than do machines created with the disk-cloning and SID-changer utility method.
If you support NT machines and want to use Sysprep, you'll find that getting the NT 4.0 version of Sysprep (Sysprep 1.0) isn't easy. Although the utility is free, Microsoft doesn't make Sysprep 1.0 available for public download from the company's Web site, forcing users to submit a special request for the utility. Furthermore, only Enterprise and Select Agreement customers are eligible to use Sysprep 1.0. If your organization is an Enterprise or Select Agreement customer, take one of the following steps to obtain Sysprep 1.0 for NT:
- Make a request on Microsoft's Request License for System Preparation Tool Web page (http://www.microsoft.com/ntworkstation/deploy/deploytools/requestlicense.asp).
- Fax a request to Windows Deploy Tool License Agreement Request at 206-285-4403 (United States and Canada only).
- Leave a voicemail message with your request by calling 800-394-9621 (United States and Canada) or 206-378-5544 (international).