E.3 Novell ZENworks ISD Service (novell-zisdservice)

The Novell ZENworks SID Service (novell-zisdservice) saves certain device-unique data (such as IP addresses and hostnames) to an area on the hard disk that is safe from imaging. The Imaging Agent records this information when you install it on the device. Then the novell-zisdservice restores this information, except for the SID, from the image-safe area after the device has been imaged. This allows the device to use the same network identity as before. The SID is restored by the SIDchanger.

The novell-zisdservice is available only on Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 devices.

NOTE:After installing the ZENworks Adaptive Agent on a Windows 7 device (32-bit and 64-bit), Windows Server 2008 32-bit, or Windows Server 2008 R2 and subsequently rebooting the devices, only the device ID and the device GUID are written into the ISD. Consequently, ziswin displays only the device ID and the device GUID. However, this does not have any impact on the functionality of ZENworks Configuration Management. Other device data are retrieved on the subsequent reboot (manual or automatic) of the device.

If a device is new and does not contain a unique network identity, the default settings that you have configured for the Management Zone are applied when you image the device by using a Preboot Services Imaging bundle.

The data that the Imaging Agent saves to (or restores from) the image-safe area includes the following:

Novell-ziswin usually runs automatically.

The ZENworks SIDchanger runs automatically after the image restoration on the Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 managed device. It runs within the ZENworks imaging distro, which is a Linux environment. Consequently, the SIDchanger changes the Windows SID within the Linux environment.

Review the following sections for detailed information:

E.3.1 Understanding the SID

The Security Identifier (SID) is generated by a security authority, which is Windows on a local computer and the Domain Controller on a domain or Active Directory network.

Windows grants or denies access and privileges to resources based on ACLs that use SIDs to uniquely identify users and their group memberships. When a user requests access to a resource, the user’s SID is checked by the ACL to determine if the user is allowed to perform the action or if the user is part of a group that is allowed to perform that action.

The SID of a machine is a unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier.

SID has the following format: S-1-5-12-7623811015-3361044348-030300820-1013.

A SID should be unique across different machines because duplicate SIDs can lead to problems if the machine or user must be uniquely identified. In a domain environment, if a system with a duplicate SID tries to join the domain, it results in errors.

For example, in a Workgroup environment, security is based on local account SIDs. Consequently, if two computers have users with the same SID, the Workgroup cannot distinguish between the users. All resources, including files and registry keys, can therefore be accessed by both users.

E.3.2 Understanding the ZENworks SIDchanger

The ZENworks SIDchanger runs only if the following conditions are met:

  • The JustImaged flag is set.

    In the image-safe data, the JustImaged flag is set whenever an image is restored.

  • Windows Vista, Windows Server 2008, Windows Server 2008 R2, or Windows 7 partitions exist.

You must change the SID of the Windows system after an image restoration because a SID must be unique. When the image is restored on the newly imaged device, the device contains the SID in the image which might result in duplication of SID. However, this is handled by ziswin for all versions of Windows prior to Windows Vista. ziswin changes the windows SID on the first reboot after the image is restored.

Windows Vista forces additional access restrictions that make it impossible to automatically change the SID across the registry within the Windows environment. However, this issue is solved by the SIDchanger, which runs for Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 partitions.

The ZENworks SIDchanger obtains the SID from the registry and changes the SID in the following scenarios:

  • If the ISD (image-safe data) does not contain a SID.

  • If the ISD SID does not match the computer SID.

NOTE:The ZENworks imaging engine cannot image partitions encrypted by using the BitLocker technology. BitLocker Drive Encryption is a full-disk encryption feature included with Microsoft's Windows Vista, Windows 7, and Windows Server 2008 operating systems. It is designed to protect data by providing encryption for entire volumes.

After the SID is changed, the files encrypted by using the Windows file encryption cannot be accessed because Windows file encryption uses the SID. If you want to access the encrypted files, you must back up the file encryption key before taking the image, and import the key after the SID is changed.

E.3.3 Disabling the SIDchanger

You must disable the ZENworks SIDchanger by using either ziswin or Image Explorer if you want to use a third-party tool such a SYSPREP to change the SID.

Using Ziswin to Disable the SIDchanger

You can use ziswin to disable the SIDchanger only for managed devices. Do the following before taking the image:

  1. In ziswin, click Edit > Options > Restore Mask.

  2. Select Windows SID.

    This creates a hidden restoremask.xml system file in the system drive, with the following contents:

    <ISDConf>
     <DoNotRestoreMask>
      <SID>true</SID>
     </DoNotRestoreMask>
    </ISDConf>
    

    To disable the SIDchanger, ensure that the value of <SID> is set to true. If you want to enable the SIDchanger, set the value to false.

Using Image Explorer to Disable the SIDchanger

  1. Create the restoremask.xml file, with the following contents:

    <ISDConf>
     <DoNotRestoreMask>
        <SID>true</SID>
     </DoNotRestoreMask>
    </ISDConf>
    
  2. Open the image to be restored in the Image Explorer, then add the restoremask.xml file to the system drive of the image.

  3. Save the image.