Using UDP Cast to duplicate Windows NT

When using UDP Cast to duplicate Windows NT, watch out for the following items.

Manage the SID (Security Identifier)

Each windows NT box features a "unique" serial number, called SID, which is normally computed during installation. Unfortunately, when doing a rigorous bitwise copy of a Windows NT installation, this SID will be identical on all boxes, and this may pose problems in certains circumstances. There are two modes of operation for Windows NT in a network: Workgroup or Domain.

Using a Workgroup
When using Workgroups, users are defined on each participating machine locally. Numerical User IDs are derived from the SID, to which an offset is added that corresponds to the order in which the users are created on each machine. Example

Let's suppose for example that the SID on billy is 12345, and the one on trey is abcdef. Let's suppose now that we create two user's on billy: Tom, then Joe. And two other user's on trey: Paul, then Alan.

Tom's uid will be 12345001 (the SID of billy followed by a sequence number, and Joe's will be 12345002.

Likewise, Paul's will be abcdef001 and Alan's abcdef002.

This all works well if all boxes have different SID's. However, if somehow Trey's SID ended up the same as Billy's (suppose both would be 123456), then Tom would have the same UID as Paul, and Joe would have the same as Allen. Hence Paul would be able to mess with Tom's files and vice-versa.

Thus, in order to ensure reasonable security, we need to make sure that the boxes have different SIDs. Fortunately, there is a freeware utility, called NewSid.exe which can do this.

On windows 2000, using SysPrep is recommended instead of NewSid:
http://www.microsoft.com/windows2000/downloads/tools/sysprep/

Best Practices for Using Sysprep with NTFS Volumes
http://support.microsoft.com/support/kb/articles/Q240/1/26.ASP

Microsoft System Preparation tool for Windows NT Workstation 4.0 (no free download)
http://www.eu.microsoft.com/ntworkstation/technicalresources/deployment/DeploymentDocs/deploy/DeployTools/SysPrep.asp
Easiest way to get it is to register at http://oem.microsoft.com/ and download from there.

White Paper: Disk-Image Copying of Microsoft Windows Operating Systems:
http://www.eu.microsoft.com/ntworkstation/technicalresources/WhitePapers/DiskImageCopy.asp

Also helpful:

Using a Domain

When using a Domain, most users are defined on the primary domain controller (server), rather than on the clients. Hence, the SID becomes a non-issue, and you don't need to run any tools to ensure different SIDs.

However, each box must register with the server, and SNAFU may ensue if suddenly lots of machines with the same computer name try to register.

So you still need to change the computer name, and you best make sure that the sender has left the domain before doing the copy. After the copy, change the computer name of all receivers (copies), and make them rejoin the domain. Have the sender rejoin the domain too.

To leave the domain, proceed as follows:

  1. Right-click on "Network Neighborhood"
  2. On the very first Page, the current computer name and Domain is displayed. Click on change, and then choose to use a workgroup instead of the domain (this is only temporary, after the broadcast, you'll set it back to Domain
  3. When leaving the dialog box, you'll have to reboot.

Make sure the registry is big enough

Both NewSid (needed when operating in a workgroup environment) and the process of leaving and joining a domain creates lots of "garbage" in the registry. As Windows does no garbage collection on the registry, this may actually overflow the available space. Hence, it is very important that you make sure your registry is big enough.

In order to do this proceed as follows, on the sender box, before doing the copy:

  1. Right-click on "My Computer"
  2. Chose Properties (the downmost item in the menu)
  3. Chose the "Performance" Tab
  4. Click on the "Change" button in the "Virtual memory" field
  5. At the very bottom of the "Virtual Memory" pane, the Current and Maximum registry size is displayed. Make sure that the maximum is at least the double of the current size.
  6. Click Ok until you left all Windows, and reboot

Warning:If you're registry is too small, you may get all kinds of silly and incomprehensible warnings, such as: "Cannot update local security", "Cannot copy remote profile", or even an error box without any text at all, and just an ok button.

Make sure the machines are really identical

The machines should really be identical, even for hardware that you don't plan to use. Indeed, we once had the following situation:

Use DHCP

In order to make sure that each computer uses a different IP Address, I strongly recommend that you use DHCP. Else you'll have to change the address on each one of the copied machines.

Before the broadcast

If you use Domains:

If you use domains, make sure that the sender has left the domain before doing the broadcast (right click on the network neighborhood icon, and make it join a non-existing workgroup).

If you use workgroups:

Computers may stay in the workgroup. However, you may save time by installing the newsid.exe program on the computer before the multicast: that way you only need to install it once, and it will be available on all receivers when you need it. For Windows 2000, you need to proceed using sysprep instead of newsid.

During the broadcast

If you use Domains:

If you use domains, profit from the time that the broadcast takes to (re)create computer accounts on the Primary Domain Controller for all computers participating in the UDPCast (senders and receivers). Because the shared secrets will most probably have changed on the clients due to the broadcast operations, even pre-existing computer accounts must be re-created.

N.B. For obvious reasons, the PDC itself should not participate in the UDPCast, as it is obviously configured rather differently than the clients.

If you use workgroups:

Have a cup of coffee ;)

After the broadcast

If you use Domains:

change the computer name

Proceed as follows:
  1. Right-click on "Network Neighborhood"
  2. On the very first Page, the current computer name and Domain/Workgroup is displayed. Click on change, and then enter the new computer name.
  3. When leaving the dialog box, you'll have to reboot. However, you don't need to leave it right now: indeed, the domain can be changed in the same box, and so you can win valuable time.

Re-join the Domain

If you use domains:
  1. (If not yet done) Right-click on "Network Neighborhood"
  2. On the very first Page, the current computer name and Workgroup is displayed. Click on change, and then choose Domain
  3. When leaving the dialog box, you'll have to reboot.

If you use workgroups:

If you use workgroups, you'll need to run NewSid. NewSid allows you also to change your computer name; this will save you one reboot.