Furthermore, this is a table that includes the roles that are supported for SYSPREP. If you have to SYSPREP a machine that is intended to host a certain unsupported role, SYSPREP it before the role is installed.
Active Directory Certificate Server (AD CS)
Active Directory Domain Services (AD DS)
Active Directory Federation Services (AD FS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Rights Management Server (AD RMS)
Network Policy and Access Services
Network Policy Routing and Remote Access Services
Not supported in scenarios where the master Windows image is joined to a domain.
Web Server (Internet Information Services)
Does not support Sysprep with encrypted credentials in applicationhost.config.
Windows Deployment Services
I am afraid your first bullet point isn't factual. See Mark Russinovich's blog post on the topic of SIDs and how they (don't) matter for AD DS: blogs.technet.com/.../3291024.aspx