Jump to content

Sysprep AFTER joining domain


Recommended Posts

I have a proprietary piece of software I need to install in a base image, I don't think it is possible to do a silent install after imaging...

Anyway this software can only be installed when the PC is a member of the domain because of login credentials to the database server.

What would happen if I join the PC to a domain, install this software, then remove it from the domain, THEN sysprep?

you think anything funny will happen to the OS? I'm not worried about the software, just the OS.

Link to comment
Share on other sites


From my experience this would be a bad thing to do. Syspreping with ANY applications installed is a bad idea. The problem is that Microsoft's Sysprep utility does not change SIDS and CLSID's that it is not aware of. There are also registry permissions that would get fouled up.

If attempted, it may even "seem to work". However, you are very likely to have a PC that crashes unexpectedly all the time. I am a firm believer that Syspreping in this manner is the main reason Microsoft Windows is seen to be "Unstable" by many people. Windows is exrememly stable if installed properly.

Link to comment
Share on other sites

From my experience this would be a bad thing to do. Syspreping with ANY applications installed is a bad idea. The problem is that Microsoft's Sysprep utility does not change SIDS and CLSID's that it is not aware of. There are also registry permissions that would get fouled up.

If attempted, it may even "seem to work". However, you are very likely to have a PC that crashes unexpectedly all the time. I am a firm believer that Syspreping in this manner is the main reason Microsoft Windows is seen to be "Unstable" by many people. Windows is exrememly stable if installed properly.

hmm, following guides here making my hardware independent WIM image has worked fine, but so far all I have installed is things like firefox, gimp, and things like that, and it has been working fine. We've deployed numerous times without issue.

Link to comment
Share on other sites

Sysprep is fine, as long as the apps are fairly self-contained. What I mean by that is that apps that require hardware drivers specifically (like card readers, biometric apps, etc) would be considered "install dependent" and require both the app and the driver. Apps that simply install to program files and dump some info under HKLM\Software in the registry will likely have no issues at all after sysprep.

I still don't recommend sysprep simply because you "lock" that image, no further updates and patching without deployment, and installing from a flat image with RIS or MDT 2010 and WDS is very easy. However, if you really do want to sysprep, in general it will work just fine.

As to the original question about domain joining, sysprep removes almost all machine-specific information during it's generalization of the installation, including any domain information. It would be best to remove a machine from the domain before capturing it, or not ever joining it to the domain at all before capture if possible.

Link to comment
Share on other sites

Thanks, I figured, but had never done it. Removing from the domain now, and sealing the image for capture ;)

When performing Sysprep captures, removing the system from the domain is important as the SID is recreated when the system is added to the domain. Preventing a duplicate SID is as simple as renaming PC's as they are deployed, and added to the domain.

Link to comment
Share on other sites

  • 9 months later...

When you sysprep a pc you have the option to re-generate the SID regardless of whether or not the pc is added to the domain or not.

Best practises say to remove the pc from the domain before sysprepping but it doesn' t really matter in my experience.

The sid is re-generated when you run sysprep and select mini setup and reseal ( regenerate Sids )

Also when you name a pc the Sid is also regenerated so when it goes on the domain and you name the pc the sid is also re-generated.

And Also according to microsoft sysprep removes the pc from the domain if it's already added.

Bascailly I add the pc to domain, sysprep it which re-generated the SID, during sysprep I specifity to add it back to the domain.

When deployed the sid is regenerated, the pc is added back to the domain again and because the pc was already on the domain it all all my apps, wsus updates, gpo settings on it, has everything.

I do this all the time and never ever have any problems at all

Link to comment
Share on other sites

The problem you may run into is if you have a piece of software that uses the system pre-sysprepped SID and stores it in the registry or an INI file somewhere. Sysprep will not reset the stored SID when run and you will end up with duplicate SIDs with that application, SMS, SCCM, McAfee ePO, and TripWire are some that I know do this and I make sure to install after dropping an image.

Link to comment
Share on other sites

I also install the sms client on client computers on the network for reporting before sysprep and after it's on the domain, doesn't cause me any problems.

I have just tested this coz I'm bored, installed the sms client onto a pc, sysprep'd & captured it, deployed it to 2 pc's and tested it on the domain.

SMS reports both of these machines as separate and it does not show up as 1 pc as stated above because of the SID.

So der ye go

( although I am sure the statement above is correct and is best practises from microsoft )

No doubt there is software that use ClassID's and the old sid before sysprepping

Also here is a link from the technet site regarding the SMS Advanced Client & sysprepping :

http://technet.microsoft.com/en-us/library/cc181430.aspx

Installing the Advanced Client on a computer master image

You can load Advanced Client software components on the computer when it is originally prepared for service in your organization. Typically, computer preparation work is done by an IT team in a staging area. The Advanced Client is installed on a client computer master image by installing core SMS client components without specifying an SMS site code for assignment. The computer is ready to be assigned to a site when it arrives at the location where it is used in production.

The master image with the SMS Advanced Client is automatically configured with an SMS GUID when SMS is installed. The Advanced Client detects that the computer has been prepared from a master image and creates a new GUID. This prevents duplication of SMS GUIDs on client computers when the Advanced Client software is loaded on computers before the computers are put into service in your organization.

Important:

Because a Legacy Client installation to a master image cannot detect that the computer was prepared from a master image, the SMS GUID must be removed from the Legacy Client before the computer is removed from the staging area and placed in service. This can be done manually, preferably in the master image, or it can be done by the Windows System Preparation tool (Sysprep.exe).

Edited by mikerowsopht
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...