ghstwalk, Outlook Express

  • Thread starter Thread starter Tom Penharston
  • Start date Start date
T

Tom Penharston

Here's a problem that I never dreamed of.

I have several legacy machines that were deployed without sysprep. At
the time there was no benefit to sealing the images. There was no
Active Directory for these machines to join, workgroup connectivity
worked just fine without a unique SID, and if we really wanted to
change the SID for some reason, then we could always run ghstwalk from
Symantec Ghost. I had no problem for years. Most of the images were
replaced every few months so I had no worries about long term problems.
This was the most efficient deployment we found, 'no sysprep' means
less customization. Even regarding product keys, we had a site licence
for an upgrade, so there was no reason to enter unique keys for each
machine.

Sysprep was always on the horizon. None-the-less, I couldn't justify
the extra process and the extra time during customization. Many of
these deployments were done under presure. Certan - heavy use -
clients were being re-imaged on a weekly basis during a short
maintenance opening.

Unfortunately, not all of the machines were temporary. Some machines
went to permanent use and have been like this for a couple of years.
Recently, I wanted to inventory the legacy machines in WSUS.

If you've never had the pleasure of using WSUS to monitor clients with
the same SID, well this is what it looks like to me; the clients appear
as one computer to the WSUS, only the computer name changes several
times daily.

Clearly I had to change the SID on each client to get useful
information in WSUS. I ran a test case with two identical XP test
clients. By using ghstwalk I achieved exactly what I wanted. There
were no obvious problems. I was ready to go 'live'.

Then I designated three of my legacy clients for ghstwalk, one with W2K
and two with XP. The clients were renamed and given new SIDs. All
went well.

Users called me a day later, Outlook Express produced errors. Mail was
eventually accessible but they endured:

"...Server response "Logon failure" unknown user name or bad password",
Port 143; Secure(SSL): No, Error Number: 0x800C006F"

OE would no longer save passwords. On the W2K machine the 'Save
Password' check box was greyed out. I tried the prescribed Microsoft
Technet registry fix for Protected Storage System Provider, but it
failed to work.

Please advise. Thanks for taking an interest.

-Tom
 
Tom said:
Here's a problem that I never dreamed of.

I have several legacy machines that were deployed without sysprep. At
the time there was no benefit to sealing the images. There was no
Active Directory for these machines to join, workgroup connectivity
worked just fine without a unique SID, and if we really wanted to
change the SID for some reason, then we could always run ghstwalk from
Symantec Ghost. I had no problem for years. Most of the images were
replaced every few months so I had no worries about long term
problems. This was the most efficient deployment we found, 'no
sysprep' means less customization. Even regarding product keys, we
had a site licence for an upgrade, so there was no reason to enter
unique keys for each machine.

Sysprep was always on the horizon. None-the-less, I couldn't justify
the extra process and the extra time during customization. Many of
these deployments were done under presure. Certan - heavy use -
clients were being re-imaged on a weekly basis during a short
maintenance opening.

Unfortunately, not all of the machines were temporary. Some machines
went to permanent use and have been like this for a couple of years.
Recently, I wanted to inventory the legacy machines in WSUS.

If you've never had the pleasure of using WSUS to monitor clients with
the same SID, well this is what it looks like to me; the clients
appear as one computer to the WSUS, only the computer name changes
several times daily.

Clearly I had to change the SID on each client to get useful
information in WSUS. I ran a test case with two identical XP test
clients. By using ghstwalk I achieved exactly what I wanted. There
were no obvious problems. I was ready to go 'live'.

Then I designated three of my legacy clients for ghstwalk, one with
W2K and two with XP. The clients were renamed and given new SIDs.
All went well.

Users called me a day later, Outlook Express produced errors. Mail
was eventually accessible but they endured:

"...Server response "Logon failure" unknown user name or bad
password", Port 143; Secure(SSL): No, Error Number: 0x800C006F"

OE would no longer save passwords. On the W2K machine the 'Save
Password' check box was greyed out. I tried the prescribed Microsoft
Technet registry fix for Protected Storage System Provider, but it
failed to work.

Please advise. Thanks for taking an interest.
Click to expand...

NEWSID from SysInternals.
 
I downloaded the utility and ran it. It's much more convenient than
ghstwalk. After changing my SID with NEWSID I still have the same
problems:

"Your 'Calendar' folder was not polled for its unread count. Your
server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Account: 'mymail.myserver.com', Server:
'mymail.myserver.com', Protocol: IMAP, Server Response: '', Port: 993,
Secure(SSL): Yes, Error Number: 0x800CCC0F
 
I think it's related to SSL. I've read a few other posts on the
subject.

"Your 'Calendar' folder was not polled for its unread count. Your
server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Account: 'mail.myserver.com', Server: 'mail.myserver.com',
Protocol: IMAP, Server Response: '', Port: 993, Secure(SSL): Yes, Error
Number: 0x800CCC0F"
 
Tom said:
I think it's related to SSL. I've read a few other posts on the
subject.

"Your 'Calendar' folder was not polled for its unread count. Your
server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Account: 'mail.myserver.com', Server: 'mail.myserver.com',
Protocol: IMAP, Server Response: '', Port: 993, Secure(SSL): Yes,
Error Number: 0x800CCC0F"
Click to expand...

Install a new AV software?
Turn off any integration with your Email Client.
 
Tom said:
I downloaded the utility and ran it. It's much more convenient than
ghstwalk. After changing my SID with NEWSID I still have the same
problems:

"Your 'Calendar' folder was not polled for its unread count. Your
server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Account: 'mymail.myserver.com', Server:
'mymail.myserver.com', Protocol: IMAP, Server Response: '', Port: 993,
Secure(SSL): Yes, Error Number: 0x800CCC0F
Click to expand...

http://www.tiscali.co.uk/help/email/oe_errors_0x800ccc0f.html
 
It seems that I can recreate the IMAP account without errors. So if I
had to gess, the SID is involved at the creation of an IMAP
account...and... if I change the SID I should also change the IMAP
account... not what I was expecting
 
Tom said:
It seems that I can recreate the IMAP account without errors. So if I
had to gess, the SID is involved at the creation of an IMAP
account...and... if I change the SID I should also change the IMAP
account... not what I was expecting
Click to expand...

Another reason to always avoid duplicate SIDs
 
From: "Shenan Stanley" <[email protected]>

|
| Another reason to always avoid duplicate SIDs
|
| --
| Shenan Stanley
| MS-MVP
| --
| How To Ask Questions The Smart Way
|
|


That's what I was thinking. You might not notice it right away but down the road you may
when its too late.
 
In David H. Lipman <[email protected]> had this to say:

My reply is at the bottom of your sent message:
That's what I was thinking. You might not notice it right away but
down the road you may when its too late.
Click to expand...

LOL I flagged this for reading to see what someone came up with for an
answer that was acceptable. That was yesterday morning. I've been busy
today - and will be for a few more days (secret, can't tell ya, haffa kill
ya type stuff -- err putting in a new floor really) but the reason I'd
flagged it was that it made me think of SIDs and some of the changes. So,
while it wasn't my question and while the answer was accurate enough I want
to thank all three of you for giving me pause to think. Hmm... Now, in
truth, we all know using the same SID is potentially going to cause issues.
If so, then, well, why is it so common? People ghost an image and then, in
the past, have rolled it out all over the shop and returned with the oddest
of issues. My question is, while above, really as follows. If it's pretty
well documented (and no offense meant to the poster) why does it seem to
continue even to this day? Sorry for the simplistic addition but it's
curious to me.

Posting restricted to Microsoft Newsgroups only (I hope.)


Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes
 
From: "Galen" <[email protected]>


|
| LOL I flagged this for reading to see what someone came up with for an
| answer that was acceptable. That was yesterday morning. I've been busy
| today - and will be for a few more days (secret, can't tell ya, haffa kill
| ya type stuff -- err putting in a new floor really) but the reason I'd
| flagged it was that it made me think of SIDs and some of the changes. So,
| while it wasn't my question and while the answer was accurate enough I want
| to thank all three of you for giving me pause to think. Hmm... Now, in
| truth, we all know using the same SID is potentially going to cause issues.
| If so, then, well, why is it so common? People ghost an image and then, in
| the past, have rolled it out all over the shop and returned with the oddest
| of issues. My question is, while above, really as follows. If it's pretty
| well documented (and no offense meant to the poster) why does it seem to
| continue even to this day? Sorry for the simplistic addition but it's
| curious to me.
|
| Posting restricted to Microsoft Newsgroups only (I hope.)
|
| Galen
| --
|
| "You know that a conjurer gets no credit when once he has explained his
| trick; and if I show you too much of my method of working, you will
| come to the conclusion that I am a very ordinary individual after all."
|
| Sherlock Holmes
|

Galen:

Good question. I have never deployed a Win2K or WinXP platform without a Sysprep operation
prior to a Ghost imaging of the model. I read the documentation and I understood that
uniqueness was a factor that could be very important in various situations.

While I did not have an answer for the OP, I flagged his post because I wanted to see if
there are corrective actions and because I wanted anecdotal information of an example of why
not having unique SIDs can be detrimental. Sometimes its a situation where you have to ask
"Why do I have to do this, run Sysprep'ed is often "Because I say so." Here is an actual
real-world example to the question "Why do I have to do this, run Sysprep ?"
 
My solution isn't very difficult. Once the new IMAP account is
synchronized, I delete the old IMAP account. That's all it took to
eliminate the errors. This story probably won't convince everyone to
use Sysprep. Now, If I had to reformat the machine, that might scare
some people!
 
Galen said:
LOL I flagged this for reading to see what someone came up with for an
answer that was acceptable. That was yesterday morning. I've been busy
today - and will be for a few more days (secret, can't tell ya, haffa
kill ya type stuff -- err putting in a new floor really) but the
reason I'd flagged it was that it made me think of SIDs and some of
the changes. So, while it wasn't my question and while the answer was
accurate enough I want to thank all three of you for giving me pause
to think. Hmm... Now, in truth, we all know using the same SID is
potentially going to cause issues. If so, then, well, why is it so
common? People ghost an image and then, in the past, have rolled it
out all over the shop and returned with the oddest of issues. My
question is, while above, really as follows. If it's pretty well
documented (and no offense meant to the poster) why does it seem to
continue even to this day? Sorry for the simplistic addition but it's
curious to me.
Posting restricted to Microsoft Newsgroups only (I hope.)
Click to expand...

Why is it common?
- Ignorance of the SID (does anyone know everything it might affect?)
- Laziness ('why bother' attitude or 'too much trouble'..)
- The thought of saving 2 minutes in the process.. (gotta make the
donuts..)

Most people (including those who post here often - myself included) do not
know the full impact of a duplicate SID. Sure - we can tell you some things
we have learned from experience or in answering questions like this thread..
But there are likely other things it is used for in particular applications
and such none of us imagined were there.

The two minutes of a script running it takes to change it (ghostwalker,
NewSID, etc.) just outweighs any possibility of problems down the line - for
me. Other people don't want to add that one line to their scripts or don't
know how. They also may have set some arbitrary limit on how long the
process can take to redo the machines in question - and that 2 minutes puts
them over... I don't see it - but - possible I suppose.
 
In Tom Penharston <[email protected]> had this to say:

My reply is at the bottom of your sent message:
My solution isn't very difficult. Once the new IMAP account is
synchronized, I delete the old IMAP account. That's all it took to
eliminate the errors. This story probably won't convince everyone to
use Sysprep. Now, If I had to reformat the machine, that might scare
some people!
Click to expand...

I hope you didn't take offense at my response/question. It was by no means
meant to point to you specifically and say "why did this person do it this
way when it's by-the-book wrong?" but rather an effort to understand. As
Shenan pointed out none of us really can tell you what all the troubles for
this can be. What I can say is that it can/does cause some of the most
insane problems at the oddest of times and seems to be inconsistant.

Your solution in this was pretty simple - we hope. What more, potentially,
problems are there going to be in a week, in a month? Are there any
implications with EFS even with a recovery agent? Other certificate issues?
I wish, in all honesty, that I could point to a list of problems and say
this was the initial cause and here's the solution and a good reason for
using sysprep but that's not an option.

http://www.microsoft.com/technet/prodtechnol/windows2000pro/deploy/depopt/sysprep.mspx

In the Domain Vs. Workgroup Settings section it gives a few reasons to use
the tool but a decent white paper can be found here:

http://download.microsoft.com/download/c/4/f/c4fb16cb-ba88-4032-806d-43a4e643c9ec/Sysprep11.doc

Anyhow, it just made me curious and I'm not one to allow my curiousity to
rest.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes
 
Sure, I think I can put this into perspective. Imagine that you work
for an academic institution that runs classes in computer labs 14 hours
per day. The summer term goes deep into August, leaving just two weeks
to rollout new images on an entire campus. During those two weeks you
are approached by returning faculty with computer needs and course
preparation. Every pet project you can imagine surfaces during this
period. Famous quotes are, "that's not what we ordered", "I thought we
had a green light to buy...", and "oh, we added this software
yesterday". Depending on the number of clients that you are imaging,
sysprep does not add two minutes, it can add an extra hour to each lab.
What if that hour is the difference between you sleeping 6 hours, or
sleeping 5 hours, before you wake up to image another room?

Now I'm very respectful of admins who go by the book, and I don't mean
to trivialize your attention to detail. None-the-less, there are
environments where it doesn't pay to follow the rules. If I rolled-out
out 300 images in my time without sysprep, I'm not too worried about
the 6 that came back to haunt me. It's just a cost of doing business.
Maybe in that context the cost benefit ratio is clear. Trust me, I
would change the circumstances if I were able.
 
Tom said:
Sure, I think I can put this into perspective. Imagine that you work
for an academic institution that runs classes in computer labs 14
hours per day. The summer term goes deep into August, leaving just
two weeks to rollout new images on an entire campus. During those
two weeks you are approached by returning faculty with computer needs
and course preparation. Every pet project you can imagine surfaces
during this period. Famous quotes are, "that's not what we ordered",
"I thought we had a green light to buy...", and "oh, we added this
software yesterday". Depending on the number of clients that you are
imaging, sysprep does not add two minutes, it can add an extra hour
to each lab. What if that hour is the difference between you sleeping
6 hours, or sleeping 5 hours, before you wake up to image another
room?

Now I'm very respectful of admins who go by the book, and I don't mean
to trivialize your attention to detail. None-the-less, there are
environments where it doesn't pay to follow the rules. If I
rolled-out out 300 images in my time without sysprep, I'm not too
worried about the 6 that came back to haunt me. It's just a cost of
doing business. Maybe in that context the cost benefit ratio is
clear. Trust me, I would change the circumstances if I were able.
Click to expand...

I work for a university that rolls out a new "image" at the end of each
semester (sometimes several times during the semester) without sysprep to
1500+ machines spread out over several square miles through several
buildings in several classrooms usually open 24/6 - closed only partially on
weekends and more during the breaks. There are more than six different
hardware types (Dell, Gateway, HP, Compaq, etc) and only a single image.
There can be anywhere from 45 to 100 different applications on the image (or
parts of the applications needed to run them from the servers) depending on
the semester and class-load. NewSID or GhostWalker has always been used
with problems.

With proper staging - there have been times when all machines were done over
one weekend - ready for the next week. Any single classroom (none larger
than 45 computers) could be done in a matter of an hour to two at most at
will. This is *without* Multicasting - which speeds up the job enormously -
as not as much staging is needed.
 
Your size must work to your advantage. Are you using Ghost, RIS, or
something else?
 
Tom said:
Your size must work to your advantage. Are you using Ghost, RIS, or
something else?
Click to expand...

Symantec Ghost.
Make the original install with the unattended process (well, a highly
modified older version) found here:
http://unattended.sourceforge.net/

Lots of scripts after the ghosting - some even installing applications that
seem to work better if treated in this way.
 
Do you really advocate one image for multiple types of hardware, even
from different vendors? Can we simply leave it to plug 'n play to sort
through the hardware and drivers? Have all of your deviced been PNP in
recent years? I once read that different motherboard architectures
require different images. The "Unattended" description that you
provided suggests a scenario where 8 different images are required, yet
you have none of those worries. I'm amazed.

We have one software title that needs a patch for dual-processor
machines. This patch is detrimental to single processor machines. Now
let me guess, you would rollout the software uniformly, but only
install the patch from a script on the dual processor machines?

I am often clearing printers, delivering machines, migrating email,
anything goes. For my clients the buck starts and stops with me.
There's no one here to write and test scripts for three weeks straight
prior to a rollout. Heaven forbid if I write a script that chokes
during a roll-out. I'd rather be installing apps manually then
debugging a script.

All that said, this is an excellent thread for me and I'll try anthing
recommended here. Now, if I can just convince my DNS admin to support
the DNS requirements for "Unattended" I'll be okay. It might surprise
you to know that he still won't support PXE so that I can test RIS or
Ghost Enterprise.
 
Back
Top