When I brought up my three DCs I used the same Win2008 R2 template that had not been syspreped and I did not use customizations during deployment to change the sid. I have read the article about the myth of sid duplication but did run into two issues I wanted to point out.
1. With Win2008 R2 DCs, there is a nice feature called Active Directory Best Practices Analyzer. When I ran it, this message came up:
The Active Directory Domain Services (AD DS) server role on the domain controller WinDC01.VCS.local is installed on a virtual machine
It then refers me to this KB article:
http://technet.microsoft.com/en-us/library/dd723681%28WS.10%29.aspx
This knowledge base article lists 8 different things that a VM should comply with in order for best practice as a domain controller. After reading
this article, the only one that caught my eye was the one about using sysprep.
2. Using sysprep changes the sid but it apparently does other things as well. In fact, my guess is that changing the sid is the least important thing that sysprep does. We are using KMS activatioin in our domain. My first DC is my KMS host so it gets activated by talking to Microsoft directly. My other two DCs will not activate because they have the same CMID. This blog explains it all:
I will be going back and sysprepping my Win2008 R2 template, bringing up two more servers based on this template, and doing the necessary work to turn these into DC/DNS/DHCP servers and retiring the other ones
I think the bottom line is, having duplicate SIDs on a machine is not a problem but in my case not using sysprep to prepare these servers is causing issues. Sysprep will change the SID but will also do away with the problems I described above.