Without access to ESX server, is it possible...

E

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
3,125
...to tell if a particular guest has been cloned? I only have access to the guest, not the host.
We had Guest A and Guest B setup for someone. Guest B was a test system with some tweaks and such done. Customer wanted Guest A to have those. We have reason to believe they may have simply cloned Guest B and replaced Guest A with that clone (a no-no with what we're dealing with). I'm curious if there's anyway sans getting host access and checking logs etc., if I can prove that this is what happened? I can't think of anything.
 
About the only thing that has come up in brainstorming is seeing if the tweaks are present on the new Guest A. The only reason we can't use that as proof is that these are tweaks that the site could've made through normal process, not just via cloning.
 
Is there anything in the software and/or OS that logs the MAC address of the virtual NIC? What OS are we talking about here? If it's Windows and they cloned the original VM, it'd get a new MAC, New MAC = Windows detecting a new network card. See if the the old NIC is hidden in Device Manager.
 
Server 2008R2. Nothing that really logs MAC, only IP address and hostname. I'll hop on and see if there's any odd NICs hanging out in device manager. Thanks for that!
 
Eulogy said:
Server 2008R2. Nothing that really logs MAC, only IP address and hostname. I'll hop on and see if there's any odd NICs hanging out in device manager. Thanks for that!
Click to expand...

They'll probably be hidden. Might poke around in the Registry too.
 
Usually if you clone a VM the MAC will change as you can't have identical MACs on the same segment, VMware prevents this, and even if you were able to do it, this would cause a lot of weird problems.

That's why if you move a VM from one host to another by copying it, VMware will ask you if the VM has been copied (new MAC address) or moved (keeps old MAC address).
 
You could look in the sys prep logs to see if they left the VMWare cloning logs..
 
Could also see if the UUID of the OS was identical between Guests, if cloned but not Syspreped they would match.
 
Simply review the system event logs should provide you with enough detail (depending on how far back they go).
 
wkearney99 said:
Just curious, why is this a 'no-no'?
Click to expand...

SSID's will be duplicated. Big problem in many environments. I had to redo most of the job f the bat due to the dumb-ass before me that created a default 2008r2 image and used it to create all his servers.
 
schizrade said:
SSID's will be duplicated. Big problem in many environments. I had to redo most of the job f the bat due to the dumb-ass before me that created a default 2008r2 image and used it to create all his servers.
Click to expand...

Are you saying that since he deployed from an image the SSIDs were the same? I am sort of lost in the above statement. (long few days on my end)
 
peanuthead said:
Are you saying that since he deployed from an image the SSIDs were the same? I am sort of lost in the above statement. (long few days on my end)
Click to expand...

Yes.
They need to be sysprepped if from a common image, and he didn't do that.
 
schizrade said:
Yes.
They need to be sysprepped if from a common image, and he didn't do that.
Click to expand...

Ah! That was my next comment. Why didn't he just build the image then sysprep them. Whheww! It's been a long few days and I just wanted to make sure my head was thinking through things correctly. Thanks.
 
SID vs SSID, but that's just a nitpick. But it's not like the machine SID being duplicated is really all that big a deal anyway. http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

Now, how the SID comes into play with domains gets a little more complicated, but again not necessarily a huge deal. Not unless you've got other software that's making use of the SID incorrectly. There are tools that can be used after the fact to change the SID. But note that will likely also require the machine to leave/rejoin a domain (if one is being used).
 
tonyb said:
Usually if you clone a VM the MAC will change as you can't have identical MACs on the same segment, VMware prevents this, and even if you were able to do it, this would cause a lot of weird problems.

That's why if you move a VM from one host to another by copying it, VMware will ask you if the VM has been copied (new MAC address) or moved (keeps old MAC address).
Click to expand...

That's not necessarily just the mac address, that's also the UUID in the database for tracking the guest :)
 
wkearney99 said:
SID vs SSID, but that's just a nitpick. But it's not like the machine SID being duplicated is really all that big a deal anyway. http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

Now, how the SID comes into play with domains gets a little more complicated, but again not necessarily a huge deal. Not unless you've got other software that's making use of the SID incorrectly. There are tools that can be used after the fact to change the SID. But note that will likely also require the machine to leave/rejoin a domain (if one is being used).
Click to expand...

Crap, SID... lol. Thread of errors.
 
You must log in or register to reply here.
Back
Top