none
During Install get "No mapping between account names and security IDs" error when picking domain accounts for service accounts

    Question

  • Test environment with 2008 servers set up from an image I've taken of a win 2008 r2 sp1 server. I restore that image to a vmware virtual machine, set up a domain controller and added the service accounts I'm going to use later for my sql 2008 r2 install.

    Then I take the same image, restore it to another new virtual machine, rename it, give it a new ip address, reboot, join it to the domain, reboot, and begin the SQL install.

     

    On the Server Configuration step, when I click the account name drop down and pick <<browse...>> It opens the "select user, computer, or group" dialog and I enter in [domain]\[login] for the service account and click "check names". It resolves that into the "[login] ([login]@[FQDN])" line. I click ok.

    I get the "S-1-5-XX-XXXXX-XXXXX-XXXXX-1104: No mapping between account names and security IDs was done." error.

    The frustrating part is if I create a new virtual machine win 2008 r2 server from scratch and start the SQL install and use the same login, no error and I can continue with the install.

    I'm stuck, can I not create images and use them in this manner?

    Wednesday, April 06, 2011 10:07 PM

Answers

  • I found this article:

    http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

     

    As far as I can tell, it's basically stating that duplicate SIDs don't matter except in one condition:

     

    "As I said earlier, there’s one exception to rule, and that’s DCs themselves. Every Domain has a unique Domain SID that’s the machine SID of the system that became the Domain’s first DC, and all machine SIDs for the Domain’s DCs match the Domain SID. So in some sense, that’s a case where machine SIDs do get referenced by other computers. That means that Domain member computers cannot have the same machine SID as that of the DCs and therefore Domain. However, like member computers, each DC also has a computer account in the Domain, and that’s the identity they have when they authenticate to remote systems."

     

    So I'm making a new image in addition to my DC image. I tried the sysprep approach but it seems to create other issues. Like undoing a lot of the vmware specific settings I have and breaking my ability to completely script the deployment. It's easier to create another server with a different SID as the DC and then image it too. Then, hopefully I'll be able to script the setup of a SQL server and a SharePoint server.

    I am a little confused that more people don't try this. When I'm done I'll have a set of powershell scripts that'll create a domain controller from a base Win 2008R2 image and then another image to create a sql and sharepoint server from scratch using with no involvement from me other than to tell the script which type of server to make.

    • Proposed as answer by Peja Tao Monday, April 18, 2011 8:32 AM
    • Marked as answer by Thantops Monday, April 18, 2011 12:44 PM
    Wednesday, April 13, 2011 5:28 PM

All replies


  • Hi Thantops,

    The root cause is the cloned computer has the same Security Identity (SID) with the original images. This may prevent the cloned computers from functioning correctly in a workgroup or a domain.
    To work around this problem, you could try the System Preparation Tool (Sysprep.exe) to remove configuration settings that are unique to the computer such as SID. Below are the steps for how to change SIS on Windows Server 2008.
    1) Start->Run, type sysprep and press OK. This will open sysprep folder which is located in c:\Windows\System32
    2) Select Enter System Out-of-Box Experience (OOBE). Important: select Generalize if you want to change SID
    3) After rebooting you’ll have to enter some data, for example, Country or region, Time and currency and Keyboard input
    4) Use PsGetSid to check the new SID

    Hope this helps.
    Best Regards,
    Peja Tao

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 08, 2011 6:55 AM
  • I found this article:

    http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

     

    As far as I can tell, it's basically stating that duplicate SIDs don't matter except in one condition:

     

    "As I said earlier, there’s one exception to rule, and that’s DCs themselves. Every Domain has a unique Domain SID that’s the machine SID of the system that became the Domain’s first DC, and all machine SIDs for the Domain’s DCs match the Domain SID. So in some sense, that’s a case where machine SIDs do get referenced by other computers. That means that Domain member computers cannot have the same machine SID as that of the DCs and therefore Domain. However, like member computers, each DC also has a computer account in the Domain, and that’s the identity they have when they authenticate to remote systems."

     

    So I'm making a new image in addition to my DC image. I tried the sysprep approach but it seems to create other issues. Like undoing a lot of the vmware specific settings I have and breaking my ability to completely script the deployment. It's easier to create another server with a different SID as the DC and then image it too. Then, hopefully I'll be able to script the setup of a SQL server and a SharePoint server.

    I am a little confused that more people don't try this. When I'm done I'll have a set of powershell scripts that'll create a domain controller from a base Win 2008R2 image and then another image to create a sql and sharepoint server from scratch using with no involvement from me other than to tell the script which type of server to make.

    • Proposed as answer by Peja Tao Monday, April 18, 2011 8:32 AM
    • Marked as answer by Thantops Monday, April 18, 2011 12:44 PM
    Wednesday, April 13, 2011 5:28 PM