I seem to have missed part of the conversation since it suddenly seems to have jumped to what appears to be a conclusion that the VMWare issues were due to SID's and differencing disks. Is that what was determined? It'll be good to know for future reference. :)
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, December 21, 2005 1:51 PM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > But the SID isn't a "device". It is simply a number stamped > on ACLs and other logical constructs all throughout the OS > load. A virtual disk or a virtual NIC or a virtual you name > it is a fixed device with a driver in front of it that > everything that wants to use it has to go through. The SID > thing is more like a byte combination and saying every time > you see this byte combination replace it with something else. > The devices are absolutely not handled that way. It isn't a > case of oh they are writing to the USB, instead redirect to > this or that. The OS is writing to a USB driver and that > driver figures out what to do with the data. That is what > drivers are all about and why you can write say a printer > driver to generate a PDF instead of a printed doc. > > The affinity of the SID is to the virtual machine. The disks > being used are linked to specific machines. A base image used > by multiple (or even one) differencing disk is not directly > linked. It is an indirect association and the OS itself has > no clue that is happening, it sees the one differencing disk > as a single true disk. > > In order for MS to automatically cover for this they would be > building a very special environment to run Windows in a very > special way, not trying to virtualize hardware and > personally, I would rather they work their ass off to become > indistinguishable from hardware versus having a special > Windows environment. > > I don't see this as a virtualization issue as much as I see > it as an OS issue. You know that you shouldn't have duplicate > SIDs. You know that a differencing disk is one that takes a > BASE image and uses that verbatim except where you make > changes to the image on the differencing disk. > > I guess you could say MS should detect it is running a > Windows guest on a differencing disk and that it should > auto-change the SID but what if the reason for the > differencing disk isn't to run multiple different copies > simulataneously but instead to have the same machine loaded > in different ways? I would be rather pissed if the > virtualization software took it upon itself to just start > changing core configurations like that. What if you decide to > later merge one image back into the parent, what do you do > then with the SID change? > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, December 21, 2005 1:52 PM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > Look at it this way. When you run NewSID (or any other SID > whacker), you are not actually modifying the main image. Your > changes are written to the differencing disk. So, it's > somewhat hard to understand the SID affinity. In physical > hardware environment, we know that we have ANOTHER COPY of an > image, and that the SID is baked into that and every copy we > make of that copy. But, since we are actually ABSTRACTING in > the Virtual environment, and we are not actually doing > anything with (or to) that SINGLE COPY that we have, why > can't we abstract the SID as well? Why not virtualize the SID > much like we do with MAC addresses right now? > > Anyway, it's not so much a gripe or complaint as it is a way > for me to document that observation. SID duplication having > been a "known issue" for so long, you think that MS would > sneak something into this "differencing" > concept to take care of SID duplication. I mean, since this > is a Parent-Child relationship, when you boot up the child > and go change the computer name, why not do something about > this SID then (natively, I mean). > Or put some intelligence into VMaddition to detect that this > system is running off of a differencing disk, then provide a > mechanism for SID whacking. Or how about just making SID > whacking part of the process of creating the differencing > disk in the first place? Say, like put a 3rd option in there > where you specify the differencing disk name, the parent disk > name, and a check box to generate a new SID? > > Again, not a gripe. But "differencing virtual hard disk" and > SID duplicated, "differencing virtual hard disk" and SID > duplication, "differencing virtual hard disk" and duplicate > SID did not produce any hit on Google, MSN or searchoff. So, > obviously this is not documented anywhere. Not even in the help files. > > When you find an explanation for the first one, please share. > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCT > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were > worried about Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 12/21/2005 6:56 AM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > > > I am a little confused why there is a thought that running > duplicate images without changing the system SID within > Virtual Server would make one immune from duplicate SID > issues? The idea behind the virtualization software is to > duplicate hardware, not protect the OS running on the virtual > hardware from anything. > > That being said, I admit the results of the first test are > confusing to me, I wouldn't have expected that to happen, the > system SID as far as I know is not related to the objectSID > of the machine in the domain, there should be no confusion > there. I will try to play with that. I wonder if MS added > something to the later OSes to dissuade the improper imaging > that people might use to get around activation. > > The second test of trying to make the second virtual a DC in > the same forest makes sense to me and I would have expected > it to occur. Obviously the domain already exists message is > because the lookup is by SID and not by name. A machine uses > the SID it currently has for the domain SID when it is > promoted as the first DC of a domain since it should > generally be unique due to the initial machine SID generation > routines (just like a GUID *should* be unique). Since it is a > dupe, you hit an issue. I would agree that MS should probably > check that better since this is more likely to occur with > virtualization. MS doesn't check things like SIDs/GUIDs > because of the idea of statistical improbability. If you > follow the standard processes as outlined by MS, you > shouldn't feasibly run into the duplicated numbers due to > that statistical improbability of natural duplication. > > I never enven thought about it. My base images have newsid > baked right into them. The first thing I do when I bring up a > new differencing disk is to newsid and rename them. I know > Dean actually has a build routine that does it automatically > (at least on his ultra uber cool automatic VMWare setup). > > > > As an aside, one thing that is cool that I picked up from > Dean is the idea to compress the stacked (differencing) > images. As Dean mentioned to me, I have not see much of a > perf hit for doing this and the disk savings is great. If I > notice a speed hit say like Exchange possibly I will install > the Exchange Bins and Data on a second uncompressed disk but > still get the savings for the OS disk, usually in the realm > of 12 or 15 to 1. After you newsid the differenced machine, > the differenced disk file usually goes up to about 1GB, then > the compression brings it back down to 100MB. > > Usually what I do is set up my virtuals in project folders > like say E2KTST and then under that folder will be the > machine definition files and the main disk and then a Stacked > folder which is compressed and that is where the differencing > disks go. If I chose to add an additional disk to a stacked > machine I will put that disk in an additional folder under > the project folder called something like FullDisks. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, December 21, 2005 3:17 AM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > In trying to validate Jorge's issue > (http://www.akomolafe.com/JustSaying/tabid/87/EntryID/13/Defau > lt.aspx), I accidentally discovered a silly one in Virtual > Server. See > http://www.akomolafe.com/JustSaying/tabid/87/EntryID/14/Default.aspx > > Maybe it's not time to switch after all :) > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCT > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were > worried about Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Tony Murray > Sent: Tue 12/20/2005 8:46 PM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > > Hi Jorge > > Just finished testing with Virtual PC 2004 SP1. No issues > found. The trust was established without having to match > username and passwords. > > You've probably seen Deji's email saying he also had no issue > with Virtual Server. > > I'm not ready to abandon VMWare quite yet, but it does give > pause for thought. > > Tony > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Tuesday, 20 December 2005 4:34 a.m. > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > > Hi Tony, > > While creating my test environment that I will use at DEC, I > also tested the > following: > > ADCORP.LAN > -> DC01 (W2K3SP1) > -> DC02 (W2K3) promoting to DC and use DC01 (W2K3SP1) as source -> NO > ISSUES! > > BRANCH.ADCORP.LAN > -> DC11 (W2K3SP1) promoting to DC and use DC01 (W2K3SP1) as source -> > -> ISSUES > FOUND! (changing pwd solved issue) > -> DC12 (W2K3) promoting to DC and use DC11 (W2K3SP1) as source -> NO > ISSUES! > > SUBSIDIARY.ADCORP.LAN > -> DC21 (W2K3SP1) promoting to DC and use DC02 (W2K3) as source -> > -> ISSUES > FOUND! (changing pwd solved issue) > -> DC22 (W2K3SP1) promoting to DC and use DC21 (W2K3SP1) as source -> > ISSUES FOUND! (changing pwd solved issue) > > It looks like if the DC to be promoted = w2k3SP1 then the > issues mentioned occur > > Cheers, > jorge > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Sunday, December 18, 2005 21:38 > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > > Hi Tony, > > R2 does not change core binaries so there should be no change > there. I can save you time when it comes to the R2 test as I > found it first in R2, then tried SP1. Both with the same > issues I have not tried pre-SP1 myself > > I'm not sure, but I think it does not occur in pre-SP1 > because I had never seen it before until working with R2 and SP1. > > Jorge > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Tony Murray > Sent: Sun 12/18/2005 9:01 PM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > > > Hi Jorge > > > > Ok, I'm back at work and the workaround using the same > username and password combination does the trick. > > > > I found one other interesting glitch. Here's the sequence. > > > > 1. Cross-forest trust setup fails with RPC connection failure. > > 2. Change ForestA administrator name and password to same > as ForestB > > 3. Set up one side of the trust in ForestA. All ok. > > 4. Attempt to set up ForestB side of trust. Fails with > RPC connection > failure. > > 5. Remove trust in ForestA. > > 6. Go back to ForestB and set up one side of the trust. All ok. > > 7. Go back to ForestA and set up the other side of the > trust. All ok. > > > > Weird. > > > > If I have time, I'll do the same thing with Windows 2003 (no > SP1) and with Windows 2003 R2. I'll also see if the > behaviour is different with Virtual PC. > > > > Tony > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Monday, 19 December 2005 2:05 a.m. > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > > > Just before going to a party yesterday, I was playing with 2 > VMs. Each Vm was a DC in its own forest/doman and I wanted to > create a trust between the two. > How difficult is that? > > > > Well, not that difficult, until you get the error... ;-(( > > > > default tests: nslookup, mappings, etc and everything OK > > > > There is a big difference here. > > > > With the DCPROMO thing I goes wrong after entering the > credentials to dcpromo the DC > > With the TRUST thing I goes wrong as soon as you enter target domain > > > > The fun part is (quote from the DCPROMO story I wrote): > > <QUOTE> > > To test permissions and credentials I created a mapping (to the ADMIN$ > share) from the stand alone server to the forest root DC and > used username administrator and password CORP. result = OK To > test permissions and credentials I started LDP on the stand > alone server and connected to the forest root DC and used > username administrator and password CORP. result = OK. I was > able to anything in the directory. > To test permissions and credentials and joined the stand > alone server and made it a member server of the forest root > domain using the username administrator and password CORP. > result = OK. > > </QUOTE> > > > > Someone posted on my blog that this problem did not exist in > pre-SP1 w2k3. > So if someone can test that, please do so and post your findings here. > > Thanks! > > > > I'm sure the password thing will work. There is another > solution and that is to connect to \\SERVER\IPC$ > <file:///\\SERVER\IPC$> using the target credentials. What I > have seen is that it sometimes worked and sometimes it did > not. Remember, that in a multiple DC environment the DC might > choose another DC then you did! > > > > Cheers, > > Jorge > > > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Tony Murray > Sent: Sun 12/18/2005 3:58 AM > To: [email protected] > Subject: RE: [ActiveDir] FYI: Failing to create a trust > > Hi Jorge > > Weird that you should post this. I had exactly the same > problem on Friday when trying to set up a cross forest trust > using two vitual machines in VMWare ESX. > > I also performed the NetMon trace and saw the same SMB > STATUS_LOGON_FAILURE error. > > I'll have to try the password thing when I get back to the > office to see if that works in my environment. > > Tony > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Sunday, 18 December 2005 2:06 p.m. > To: [email protected] > Subject: [ActiveDir] FYI: Failing to create a trust > > Hi, > > Remember the DCPROMO thing on Vmware I experienced a while ago? > (http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx) > I found another similar issue, but this time it occured when > creating a trust (external or forest) between two forests. > The solution is still the same When interested you can read more at: > http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx > > Cheers, > Jorge > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, > confidential information and/or be subject to legal > privilege. It should not be copied, disclosed to, retained or > used by, any other party. If you are not an intended > recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This communication, including any attachments, is > confidential. If you are not the intended recipient, you > should not read it - please contact me immediately, destroy > it, and do not copy or use any part of this communication or > disclose anything about it. Thank you. Please note that this > communication does not designate an information system for > the purposes of the Electronic Transactions Act 2002. > > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, > confidential information and/or be subject to legal > privilege. It should not be copied, disclosed to, retained or > used by, any other party. If you are not an intended > recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
