D.3 Novell ZENworks ISD Service (novell-zisdservice)

The Novell ZENworks SID Service (novell-zisdservice) saves certain device-unique data (such as IP addresses and hostnames) to an area on the hard disk that is safe from imaging. The Imaging Agent records this information when you install it on the device. Then the novell-zisdservice restores this information, except for the SID, from the image-safe area after the device has been imaged. This allows the device to use the same network identity as before. The SID is restored by the SIDchanger.

The novell-zisdservice is available only on Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 devices.

NOTE:After installing the ZENworks Adaptive Agent on a Windows 7 device (32-bit and 64-bit), Windows Server 2008 32-bit, or Windows Server 2008 R2 and subsequently rebooting the devices, only the device ID and the device GUID are written into the ISD. Consequently, ziswin displays only the device ID and the device GUID. However, this does not have any impact on the functionality of ZENworks Configuration Management. Other device data are retrieved on the subsequent reboot (manual or automatic) of the device.

If a device is new and does not contain a unique network identity, the default settings that you have configured for the Management Zone are applied when you image the device by using a Preboot bundle.

The data that the Imaging Agent saves to (or restores from) the image-safe area includes the following:

  • Whether a static IP address or DHCP is used

  • If a static IP address is used:

    • IP address

    • Subnet mask

    • Default gateway (router)

  • DNS settings

    • DNS suffix

    • DNS hostname

    • DNS servers

Novell-ziswin usually runs automatically.

The ZENworks SIDchanger runs automatically after the image restoration on the Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 managed device. It runs within the ZENworks imaging distro, which is a Linux environment. Consequently, the SIDchanger changes the Windows SID within the Linux environment.

Review the following sections for detailed information:

D.3.1 Understanding the SID

The Security Identifier (SID) is generated by a security authority, which is Windows on a local computer and the Domain Controller on a domain or Active Directory network.

Windows grants or denies access and privileges to resources based on ACLs that use SIDs to uniquely identify users and their group memberships. When a user requests access to a resource, the user’s SID is checked by the ACL to determine if the user is allowed to perform the action or if the user is part of a group that is allowed to perform that action.

The SID of a machine is a unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier.

SID has the following format: S-1-5-12-7623811015-3361044348-030300820-1013.

  • S indicates that the string is a SID.
  • 1 is the revision level.
  • 5 is the identifier authority value.
  • 12-7623811015-3361044348-030300820 is the domain or local computer identifier.
  • 1013 is a relative ID (rid).

A SID should be unique across different machines because duplicate SIDs can lead to problems if the machine or user must be uniquely identified. In a domain environment, if a system with a duplicate SID tries to join the domain, it results in errors.

For example, in a Workgroup environment, security is based on local account SIDs. Consequently, if two computers have users with the same SID, the Workgroup cannot distinguish between the users. All resources, including files and registry keys, can therefore be accessed by both users.

D.3.2 Understanding the ZENworks SIDchanger

The ZENworks SIDchanger runs only if the following conditions are met:

  • The JustImaged flag is set.

    In the image-safe data, the JustImaged flag is set whenever an image is restored.

  • Windows Vista, Windows Server 2008, Windows Server 2008 R2, or Windows 7 partitions exist.

You must change the SID of the Windows system after an image restoration because a SID must be unique. When the image is restored on the newly imaged device, the device contains the SID in the image which might result in duplication of SID. However, this is handled by ziswin for all versions of Windows prior to Windows Vista. ziswin changes the windows SID on the first reboot after the image is restored.

Windows Vista forces additional access restrictions that make it impossible to automatically change the SID across the registry within the Windows environment. However, this issue is solved by the SIDchanger, which runs for Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 partitions.

The ZENworks SIDchanger obtains the SID from the registry and changes the SID in the following scenarios:

  • If the ISD (image-safe data) does not contain a SID.

  • If the ISD SID does not match the computer SID.

NOTE:The ZENworks imaging engine cannot image partitions encrypted by using the BitLocker technology. BitLocker Drive Encryption is a full-disk encryption feature included with Microsoft's Windows Vista, Windows 7, and Windows Server 2008 operating systems. It is designed to protect data by providing encryption for entire volumes. Any image of a full-disk encrypted device can be restored only on that device.

After the SID is changed, the files encrypted by using the Windows file encryption cannot be accessed because Windows file encryption uses the SID. If you want to access the encrypted files, you must back up the file encryption key before taking the image, and import the key after the SID is changed.

D.3.3 Disabling the SIDchanger

You must disable the ZENworks SIDchanger by using either ziswin or Image Explorer if you want to use a third-party tool such a SYSPREP to change the SID.

Using Ziswin to Disable the SIDchanger

You can use ziswin to disable the SIDchanger only for managed devices. Do the following before taking the image:

  1. In ziswin, click Edit > Options > Restore Mask.

  2. Select Windows SID.

    This creates a hidden restoremask.xml system file in the system drive, with the following contents:

    <ISDConf>
     <DoNotRestoreMask>
      <SID>true</SID>
     </DoNotRestoreMask>
    </ISDConf>

    To disable the SIDchanger, ensure that the value of <SID> is set to true. If you want to enable the SIDchanger, set the value to false.

Using Image Explorer to Disable the SIDchanger

  1. Create the restoremask.xml file, with the following contents:

    <ISDConf>
     <DoNotRestoreMask>
        <SID>true</SID>
     </DoNotRestoreMask>
    </ISDConf>
  2. Open the image to be restored in the Image Explorer, then add the restoremask.xml file to the system drive of the image.

  3. Save the image.

Registry Keys for novell-ziswin and novell-zisdservice

The following table lists the Registry Keys that are used to customize the ZENworks Configuration Management Imaging Agent (novell-ziswin) and Novell ZENworks ISD service (novell-zisdservice):

Table D-2 novell-ziswin Registry Keys

Registry Key Name

Description

ZISWIN Clear

Registry Key Type: String

Registry Key Value: 1

When this string value is set to 1, ZISWIN clears all the Image Safe data and exits without doing any other task.

ZISWIN Disabled

Registry Key Type: String

Registry Key Value: 1

When this string value is set to 1, ZISWIN exits without doing any other task.

ZISWIN Reset Flag

Registry Key Type: String

Registry Key Value: 1

When this string value is set to 1, ZISWIN sets the Just Imaged flag to FALSE and exits without doing any other task.

ZISWIN Do Not Restore Mask

Registry Key Type: DWORD

Registry Key Value: Desired value of the Image Safe data component.

You can use this DWORD value to specify the Image Safe data component that you do not want ZISWIN to restore to the Windows registry, after a successful completion of an image. The value is interpreted as a mask, with each of the component receiving one bit in the mask. To stop the restoration of any component, specify the corresponding mask as the value in the registry key. For more information on values for different components, see Component Masks.

ZISWIN SYSPrep Restore Mask

Registry Key Type: DWORD

Registry Key Value: Desired value of Image Safe data component.

You can use this DWORD value to specify the Image Safe data component that you do not want ZISWIN to restore to the Windows registry, after a successful completion of an image. The value is interpreted as a mask, with each of the component receiving one bit in the mask. To stop the restoration of any component, specify the corresponding mask as the value in the registry key.

If you are using the SYSprep process to mask the Image Safe data components, then use the ZISWIN SYSPrep Restore Mask registry key, instead of ZISWIN Do Not Restore Mask registry key. This is because ZISWIN or ZISDservice check for values under the ZISWIN SYSPrep Restore Mask registry key and not under ZISWIN Do Not Restore Mask resistry key, on the first run after the completion of the SYSPrep process.

NOTE:ZISWIN SYSPrep Restore Mask is not set by the ZISWIN GUI. You need to enter the registry key directly with regedit.

For more information on values for different components, see Component Masks.

ZISWIN Do Not Collect Mask

Registry Key Type: DWORD

Registry Key Value: Desired value of the Image Safe data component.

You can use this DWORD to specify the components you do not want ZISWIN to collect in the Image Safe data. For more information on component mask, see Component Masks.

ZISWIN Clear Mask

Registry Key Type: DWORD

Registry Key Value: Desired value of the Image Safe data component.

You can use this DWORD to specify the components that you want ZISWIN to clear from the Image Safe data. For more information on component mask, see Component Masks.

Component Masks

The following is a list of commonly used component masks:

  • Workstation Distinguished Name - 0x00000001
  • Workstation Tree - 0x00000002
  • NetBios Name - 0x00000004
  • Workgroup - 0x00000008
  • IP address - 0x00000010
  • SID - 0x00000020
  • DNS - 0x00000100
  • Workstation ID - 0x00000200

Some examples of using the novell-ziswin registry keys are as follows:

Windows Domain Environment: To add a workstation to the domain. you can use ZISWIN SYSPrep Restore Mask registry key. You can use ZISWIN Do Not Restore Mask registry key to restore everything except the Workgroup. Hence the value of the registry key is 0x00000008.

DHCP Environment: Administrators who add IP and DNS configuration of their systems through DHCP do not need ZISWIN to restore information from Image Safe data. You can use ZISWIN Do Not Restore Mask registry key with 0x00000100 value.

SYSPREP naming convention: If ZISWIN is preparing to rename a workstation after the name is determined by the SYSPREP routine, in order for ZISWIN to not restore the NetBios name of a workstation, you can use ZISWIN Do Not Restore Mask registry key with 0x00000004 value.

If your environment has all the above mentioned configurations, then you need to add the 4 components mask together and the registry value is 0x0000011C.

If your environment needs only the Workstation Object, ID, and Tree to be restored after imaging, you need add up all the other components mask, and the resulting registry value is 0x0000013C.

If your environment does not need anything restored by ZISWIN, the value can be set to 0x0000033F.