| Author | Messages | |
listmail
Posts:426
 | | 01/19/2006 6:47 AM |
| LOL. I talk to myself (a lot) and write a lot of stuff that I later erase
prior to sending. Through that mechanism, mostly anyone outside of me will
see the good 50% but some of the bad can slip through. :o) I have a strong
desire to not look like a complete dunderhead in public. I have been known
to say some stunningly stupid things though.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rocky Habeeb
Sent: Thursday, January 19, 2006 9:04 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
"And further, I am not trying to say I am always right. Quite the contrary,
fully 50% of what I say is flat out incorrect, made up, or complete opinion.
Your job is to try to figure out what is and isn't in that 50%."
joe, I will not be signing my emails to you anymore with "YMYMYM"
Unless of course, your recant.
RH
___________________________________________________________
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of joe
Sent: Wednesday, January 18, 2006 9:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer accounts being removed
And further, I am not trying to say I am always right. Quite the contrary,
fully 50% of what I say is flat out incorrect, made up, or complete opinion.
Your job is to try to figure out what is and isn't in that 50%. Preferably
prior to changing your environment based on something I said. :o)
Or to put it another simpler way, mileage varies. What works very well for
me may not be in your best interest.
I would like to hear the technical details behind the SID issues from that
article though. Maybe I will follow the link. Though I doubt what I want is
there. Very little serious deep tech in that mag anymore. The tech stuff I
previously wrote for them they stopped putting in the mag and started
putting in their over the top highly overpriced "professional newsletters"
that were $100+ for 12 tiny little issues that looked like a small school
newspaper.
joe
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:14 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
Don't get me wrong though... Sysprep/newsid, follow the process. I am
absolutely not telling people to image machines and deploy them without
cleaning them up. If you have odd things happening and are not following the
recommended processes, it is all on you and you get to take responsibility
for what you do. :)
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Wednesday, January 18, 2006 9:01 PM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] AD computer accounts being removed
I would like to see the details of what the issues are. Windows IT Pro mag
is a nice mag and all, but there is no real technical review of the
articles, you can say about anything you want to and I have seen several
examples. Ditto for Redmond Mag and SearchWindows*, etc.
I don't think the people actually test the stuff they say in a lot of those
articles though they try to state it authoritatively.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 8:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser wrote:
>
> Taken from
> http://www.sysinternals.com/Utilities/NewSid.html under the SID
> Duplication Problem
>
>
> snip
Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html
At the start of the GUI phase of installation each NT/2000 installation
generates a unique Security IDentifier (SID). If you then clone a
workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID
generated by the domain controller and do not user the local workstation SID
for security. It IS a problem in a Windows 2000 domain as the local machine
SID is used in nearly all aspects of security and before migrating to 2000
you should resolve any duplicate SID issues which may have been caused by
cloning installations.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:426
| | 01/19/2006 6:54 AM |
| Most likely oversight. I submit quite a few requests to get
articles like this updated that are missing specific OS versions or App
versions. At one point I asked that they have an additional field of "doesn't
apply to" for OSes so you at least knew they weren't forgetting it. I was told
to piss off.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich
MilburnSent: Thursday, January 19, 2006 8:44 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Any idea why XP is
omitted in this article, but 2k and 2k3 are
included?
http://support.microsoft.com/?id=162001
"Do Not Disk
Duplicate Installed Versions of Windows NT"
-----------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's International,
Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819----------------------------------------------------------------------I love the smell of
red herrings in the morning -
anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday, January
18, 2006 6:27 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well I would agree that
is not a safe practice for most but for my application where all Local accounts
are disabled I do not see a problem.
Taken | | | |
| milburnr
Posts:0
| | 01/19/2006 8:55 AM |
| Well, XP is kind of obscure, esp when you include
Server 2003 SP1 in an imaging article J>
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
I love the smell
of red herrings in the morning - anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Thursday, January 19, 2006
12:30 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Most likely oversight. I submit quite a
few requests to get articles like this updated that are missing specific OS
versions or App versions. At one point I asked that they have an additional
field of "doesn't apply to" for OSes so you at least knew they
weren't forgetting it. I was told to piss off.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich Milburn
Sent: Thursday, January 19, 2006
8:44 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Any idea why XP is omitted in this
article, but 2k and 2k3 are included?
http://support.microsoft.com/?id=162001
"Do Not Disk Duplicate Installed
Versions of Windows NT"
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
I love the smell
of red herrings in the morning - anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
6:27 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well I would agree that is not a safe
practice for most but for my application where all Local accounts are disabled
I do not see a problem.
Taken
from http://www.sysinternals.com/Utilities/NewSid.html
under the SID Duplication Problem
Duplicate SIDs aren't an issue in a
Domain-based environment since domain accounts have SID's based on the Domain
SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not
Disk Duplicate Installed Versions of Windows NT", in a Workgroup
environment security is based on local account SIDs. Thus, if two computers
have users with the same SID, the Workgroup will not be able to distinguish
between the users. All resources, including files and Registry keys, that one user
has access to, the other will as well.
Aaron
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
3:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review
the content of all messages sent to and from this e-mail address. Messages sent
to or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system.
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| CKaiser
Posts:2
| | 01/19/2006 10:52 AM |
| I can relate. I frequently do the 60 hr week thing, and as the senior of
the two IT people for our company, I do all the
design/planning/decision-making, as well as fix all the hard stuff the
other guy can't fix.
I have found that automating my repetitive tasks has helped a lot. I did
a few things to help my ability to work smarter rather than harder.
I set aside an hour a day for a while (at home, at work after hours,
wherever) and played with new tools; reskit, joeware, scripting,
whatever it took. That got me some confidence in using the advanced
tools.
I spent a bunch of time on this forum and the sys admin forum (sunbelt).
Lurking mostly, and contributing when time and skill allowed, but
frequently looking at a problem, making an estimate of the fix, and then
comparing my fix to the "experts".
I developed monitoring for all my production using What's Up Gold and
Dumpevt/grep. That allowed me to find most failures well before they
developed. I'd say better than 95% of the server problems I deal with
are things I find before the end-users know about them, which is how it
should be, IMO.
I've also trained my junior admin and handed off all the stuff I can to
him. It's hard to let go of some of it, but once I do and see that it's
getting handled, I relax. :-)
I think the bottom line is that until I took the steps necessary to work
smarter, I just kept working harder. Spending a bunch of time to improve
my skills and efficiency paid off tremendously. I don't do the 100 hour
weeks anymore. Spending 8 hours to develop workable group policies saved
me at least that much time per week with desktop configuration issues.
If you can get your boss to buy into allowing you some no-contact time
each week, you can use that to improve your skills/efficiency. You can
make the case to him/her that using a bit of your time will pay
dividends quickly.
Do whatever it takes to move as far from reactive mode as you can. I've
felt your pain; it's no fun...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> Sent: Thursday, January 19, 2006 7:39 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
> Charlie,
>
> Thanks for taking the time to explain. I'm in a position
> where I'm making
> the big decisions, doing the big work and also doing all the
> little details
> (I'm it) including daily problems. Zero training/learning time, zero
> anything except get to the next fire. I need spend some time
> learning and
> using tools like sysprep and GP to get back some of that time.
>
> Gary
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Charlie Kaiser
> Sent: Thursday, January 19, 2006 10:07 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] AD computer accounts being removed
>
>
> Sysprep is pretty simple; there's a lot of documentation
> available on it. As
> Rich mentioned, you need to set up your customizations under
> one profile and
> copy that to the default user profile. Some irksome things
> change, however.
> One of my pet peeves is that when you sysprep a PC, the next
> time it boots,
> the select OS timeout goes from whatever you have set it to
> (5 sec in our
> case) back to the default of 30 sec.
>
> I have found that using group policy to make most of the
> settings changes is
> better than doing it on the workstation. We start with a
> sysprepped image
> that runs the mini-setup when first booted. We then the
> workstation and
> place it in the domain, where the GPOs apply to make all the required
> settings.
>
> I was able to go from a boot floppy, ghost, and ghostwalker
> to a boot CD,
> sysprep, and ghost (our new laptops don't have floppy drives)
> in about 4
> days of testing and fine-tuning. I took a couple of laptops
> and a BartPE CD
> (with ghost added to it) into a spare conference room, didn't
> answer my
> phone, and worked it all out. A few days of work and the result is
> significantly simpler deployment of new images.
>
> **********************
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **********************
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> > Sent: Thursday, January 19, 2006 5:01 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] AD computer accounts being removed
> >
> > Thanks for the link Nav.
> >
> > I use Symantec (PowerQuest) V2i Desktop (DriveImage).
> > Haven't used Ghost (Ghostwalker) or Sysprep. Been wanting to
> > experiment with Sysprep but haven't had the time. I was
> > thinking about that this morning though. Is there a big
> > learning curve with Sysprep?
> >
> > I use V2i for cloning, because I'm already using that for
> > backups of all the workstations and all the servers. Hard
> > drive backups instead of tape. Without sysprep, I'm stuck
> > being able to only clone like machines.
> >
> > I really need to learn to use Sysprep. Too many fires
> > burning right now.
> >
> > Gary
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> > Navroz Shariff
> > Sent: Wednesday, January 18, 2006 3:29 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] AD computer accounts being removed
> >
> >
> > Hi Gary,
> >
> > Try looking at this article from MS regarding 'Resetting
> > computer accounts in Windows 2000 and Windows XP'.
> > http://support.microsoft.com/kb/216393/EN-US/
> >
> > Also, you join the computer to the domain and then change its name?
> > Do you reset the SIDs of the cloned workstation using
> > GhostWalker or Sysprep?
> >
> > -Nav
> >
> >
> > ________________________________
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
> > Sent: Wednesday, January 18, 2006 3:04 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] AD computer accounts being removed
> >
> >
> > Brenda,
> >
> > FWIW: It happens to me when I clone a workstation then try
> > to join that workstation to the domain in order to change the
> > computer name. AD sees 2 machines with the same name, gives
> > me a notification and lets the 2nd one in. Then when the
> > original machine with that name logs in next time, it isn't
> > seen on the network. Then I have to do the same thing you
> > did - with the original machine. Then all is well again.
> > Don't know if that will help, but it might narrow down the
> > problem some.
> >
> > Gary
> >
> > Gary Polvinale
> > Denton ATD
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Brenda Casey
> > Sent: Wednesday, January 18, 2006 2:24 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] AD computer accounts being removed
> >
> >
> > Yes, their computer account in AD is actually gone.
> >
> > Thanks,
> > Brenda
> >
> > Brenda Casey
> > Network Manager
> > Billings Public Schools
> > caseyb@xxxxxxxxxxxxxxxxxx
> > 406-247-3792
> >
> >
> > ________________________________
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil
> > Kirkpatrick
> > Sent: Wednesday, January 18, 2006 11:14 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] AD computer accounts being removed
> >
> >
> > When you say "lose their account", do you mean the computer
> > object in AD disappears? Or something else?
> >
> > -g
> >
> > ________________________________
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Brenda Casey
> > Sent: Wednesday, January 18, 2006 10:42 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] AD computer accounts being removed
> >
> >
> > Occasionally computers will lose their account in Active
> > Directory for no apparent reason. Sometimes it is a computer
> > that has just joined the domain, while other times the
> > machine has been a member of the domain for 2 years. The
> > computer can only be logged on by a local account (not a
> > domain account). To remedy this, the computer has to be
> > disjoined from the domain, join a workgroup, then join the
> > domain again. As I am sure you all are aware, this is not
> > only time consuming, but very inappropriate to have to do.
> >
> > Has anyone else had this experience and how have you fixed it?
> >
> > Thanks,
> > Brenda
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:346
| | 01/19/2006 12:09 PM |
| NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost computers
in order to rejoin the domain because I do not have any local accounts active
on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine. Then all
is well again. Don't know if that will help, but it might narrow
down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| Gil
Posts:69
| | 01/19/2006 12:21 PM |
| Let me find my rolled up newspaper...
:)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Wednesday, January 18, 2006 4:50 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
NO
NO NO NO NO BAD BAD BAD
You
have to use sysprep. You™re getting duplicate SIDs here “ bad.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday, January
18, 2006 5:44 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary,
Brian,
I do not use Sysprep on
my images and have yet to come across any problems, but there may be one big
difference with my images, before I ghost them or create the image I put the
said machine into a workgroup and then create image. After I have imaged a
computer I log on and change the Computer Name reboot and then join the domain
with the new computer name, should I be using Sysprep?
And Brenda I have
experienced your problem but I have never noticed the accounts actually being
out of AD, anyways most times for me a simple reboot works although I have had
to actually ghost computers in order to rejoin the domain because I do not have
any local accounts active on my computers in the school, makes it a little safer
J but with that comes
more work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary-
Are
you implying you don™t sysprep your images?
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Brenda,
FWIW: It happens
to me when I clone a workstation then try to join that workstation to the domain
in order to change the computer name. AD sees 2 machines with the same
name, gives me a notification and lets the 2nd one in. Then when the
original machine with that name logs in next time, it isn't seen on the
network. Then I have to do the same thing you did - with the original
machine. Then all is well again. Don't know if that will
help, but it might narrow down the problem
some.
Gary
Gary
Polvinale
Denton
ATD
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday, January
18, 2006 2:24 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually
gone.
Thanks,
Brenda
Brenda
CaseyNetwork
Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Wednesday,
January 18, 2006 11:14 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
When you say "lose
their account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday, January
18, 2006 10:42 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] AD computer accounts
being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to
do.
Has
anyone else had this experience and how have you fixed
it?
Thanks,
Brenda | | | |
| aaron_visser@xxxx.yyy
| | 01/19/2006 12:22 PM |
| No it is not possible to delete that account. (As far as I know) but there
are times when the account has been disabled thru a Policy (that is how I
disable it) and that program has not worked, I know it doesn't make a lot of
sense because why is the policy being enforced if it will not connect to the
domain but guess what sometimes it is like that, and if everything always
worked the way it was supposed to well then we wouldn't be needed now would
we?
Aaron Visser
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 3:10 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Aaron Visser wrote:
snip
> I have had to actually ghost computers in order to rejoin the
> domain because I do not have any local accounts active on my computers in
> the school, makes it a little safer J but with that comes more work L
>
Surely it's not possible to delete the administrator account?
You might be able to disable it, but IIRC, you can reset the password
and unlock/re-enable to account using the infamous bootdisk at:
http://home.eunet.no/~pnordahl/ntpasswd/
Shouldn't need to re-image.
--
AdamT
"Maidenhead is *not* in Kent"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| aaron_visser@xxxx.yyy
| | 01/19/2006 12:34 PM |
| Well I would agree that is not a safe
practice for most but for my application where all Local accounts are disabled
I do not see a problem.
Taken
from http://www.sysinternals.com/Utilities/NewSid.html
under the SID Duplication Problem
Duplicate SIDs aren't an issue in a
Domain-based environment since domain accounts have SID's based on the Domain
SID. But, according to Microsoft Knowledge Base article Q162001, "Do Not
Disk Duplicate Installed Versions of Windows NT", in a Workgroup environment
security is based on local account SIDs. Thus, if two computers have users with
the same SID, the Workgroup will not be able to distinguish between the users.
All resources, including files and Registry keys, that one user has access to,
the other will as well.
Aaron
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
3:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone a
workstation then try to join that workstation to the domain in order to change
the computer name. AD sees 2 machines with the same name, gives me a
notification and lets the 2nd one in. Then when the original machine with
that name logs in next time, it isn't seen on the network. Then I have to
do the same thing you did - with the original machine. Then all is
well again. Don't know if that will help, but it might narrow down
the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| listmail
Posts:426
| | 01/20/2006 6:05 AM |
| FYI. I submitted a request to have this article reviewed
and corrected as deemed necessary.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rich
MilburnSent: Thursday, January 19, 2006 3:08 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well, XP is kind of obscure,
esp when you include Server 2003 SP1 in an imaging article England
and do not catch such things J>
-----------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's International,
Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819----------------------------------------------------------------------I love the smell of
red herrings in the morning -
anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Thursday, January 19, 2006 12:30
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Most likely oversight.
I submit quite a few requests to get articles like this updated that are missing
specific OS versions or App versions. At one point I asked that they have an
additional field of "doesn't apply to" for OSes so you at least knew they
weren't forgetting it. I was told to piss off.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rich
MilburnSent: Thursday, January
19, 2006 8:44 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Any idea why XP is
omitted in this article, but 2k and 2k3 are
included?
http://support.microsoft.com/?id=162001
"Do Not Disk
Duplicate Installed Versions of Windows NT"
-----------------------------------------------------------------------Rich
MilburnMCSE, Microsoft MVP -
Directory ServicesSr
Network Analyst, Field Platform DevelopmentApplebee's International,
Inc.4551
W. 107th
StOverland
Park,
KS 66207913-967-2819----------------------------------------------------------------------I love the smell of
red herrings in the morning -
anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday, January
18, 2006 6:27 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well I would agree that
is not a safe practice for most but for my application where all Local accounts
are disabled I do not see a problem.
Taken | | | |
| wooklee
Posts:0
| | 01/20/2006 7:19 AM |
| You can have collisions between a domain
controller SID
and a member server SID
when two machines have duplicate SIDs and one is DCPROMO™d and the other
is joined to the new domain. The error messages that are logged say something
to the effect that the domain and the member server SIDs conflict. Darn
confusing when you see it for the first time. I™ll see if I can dig out
the exact text of the message.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
6:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yep sorry, didn't intend to say it wasn't
a good idea. At some point the list will catch up and my post that says that
will show up. :)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
8:39 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Dozen other reasons to run it. Not running sysprep is just a bad idea.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of joe
Sent: Wednesday, January 18, 2006
8:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well not really. The important SID
in question is the Domain SID and that isn't duped.
The domain doesn't care about the machine SID. It is still good
practice to newsid the machines though.
If the accounts are disappearing it is one
of two things
1. Someone is deleting it.
2. During the join process something fails
and the computer deletes the object out. I don't recall the details of this but
I do recall hearing it happen. It happens right after the failed join though,
you don't have to wait for it. I have also heard other people who don't
have enough rights report the account being disabled instead of deleted. I
never verified personally either.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
6:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new computer
name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| bdesmond
Posts:346
| | 01/20/2006 7:39 AM |
| Tell me about it. We had a vendor roll a server into every site to do as
they pleased with. Didn™t get sysprep™ed. Many sites decided to
dcpromo theirs up. Of course every independent domain has to trust me, and you
can™t trust more than one domain with the same sid¦
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Lee, Wook
Sent: Friday, January 20, 2006
2:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
You can have collisions between a domain
controller SID
and a member server SID
when two machines have duplicate SIDs and one is DCPROMO™d and the other
is joined to the new domain. The error messages that are logged say something
to the effect that the domain and the member server SIDs conflict. Darn
confusing when you see it for the first time. I™ll see if I can dig out
the exact text of the message.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
6:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yep sorry, didn't intend to say it wasn't
a good idea. At some point the list will catch up and my post that says that
will show up. :)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
8:39 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Dozen other reasons to run it. Not running sysprep is just a bad idea.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
8:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well not really. The important SID
in question is the Domain SID and that isn't duped.
The domain doesn't care about the machine SID. It is still good
practice to newsid the machines though.
If the accounts are disappearing it is one
of two things
1. Someone is deleting it.
2. During the join process something fails
and the computer deletes the object out. I don't recall the details of this but
I do recall hearing it happen. It happens right after the failed join though,
you don't have to wait for it. I have also heard other people who don't
have enough rights report the account being disabled instead of deleted. I
never verified personally either.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
6:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine.
Then all is well again. Don't know if that will help, but it
might narrow down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| aaron_visser@xxxx.yyy
| | 01/20/2006 10:32 AM |
| I was referring to workstations not Servers,
who would even think of ghosting a Server? And here is the bottom line I have
been ghosting workstations for several years now at this site without using
Sysprep or anything like it, and it has caused me no problems, I have yet to
hear anything worth while on why I should be running sysprep on a workstation
in a Domain Environment where local login is not prohibited other than some BS
stuff from Wininternals or some other mag like that. So put your rolled up
newspapers away ( unless of course your going to be using it on yourself ) and
give me something worth while or concrete as to why I should be running Sysprep
in the mentioned environment other than NO NO NO NO BAD BAD BAD BAD you must
run sysprep.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Friday, January 20, 2006
11:37 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Tell me about it. We had a vendor roll a server into every site to do as
they pleased with. Didn™t get sysprep™ed. Many sites decided to
dcpromo theirs up. Of course every independent domain has to trust me, and you
can™t trust more than one domain with the same sid¦
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, Wook
Sent: Friday, January 20, 2006
2:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
You can have collisions between a domain
controller SID
and a member server SID
when two machines have duplicate SIDs and one is DCPROMO™d and the other
is joined to the new domain. The error messages that are logged say something
to the effect that the domain and the member server SIDs conflict. Darn
confusing when you see it for the first time. I™ll see if I can dig out
the exact text of the message.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
6:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yep sorry, didn't intend to say it wasn't
a good idea. At some point the list will catch up and my post that says that
will show up. :)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
8:39 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Dozen other reasons to run it. Not running sysprep is just a bad idea.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
8:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well not really. The important SID
in question is the Domain SID and that isn't duped.
The domain doesn't care about the machine SID. It is still good
practice to newsid the machines though.
If the accounts are disappearing it is one
of two things
1. Someone is deleting it.
2. During the join process something fails
and the computer deletes the object out. I don't recall the details of this but
I do recall hearing it happen. It happens right after the failed join though,
you don't have to wait for it. I have also heard other people who don't
have enough rights report the account being disabled instead of deleted. I
never verified personally either.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
6:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine. Then all
is well again. Don't know if that will help, but it might narrow
down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| aaron_visser@xxxx.yyy
| | 01/20/2006 10:39 AM |
| Sorry, Sorry, Sorry it is Friday and I
have had enough, next time I will try to think before I hit Send
(Disregard last post on this topic)
Aaron Visser
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Desmond
Sent: Friday, January 20, 2006
11:37 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Tell me about it. We had a vendor roll a server into every site to do as
they pleased with. Didn™t get sysprep™ed. Many sites decided to
dcpromo theirs up. Of course every independent domain has to trust me, and you
can™t trust more than one domain with the same sid¦
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee, Wook
Sent: Friday, January 20, 2006
2:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
You can have collisions between a domain
controller SID
and a member server SID
when two machines have duplicate SIDs and one is DCPROMO™d and the other
is joined to the new domain. The error messages that are logged say something
to the effect that the domain and the member server SIDs conflict. Darn
confusing when you see it for the first time. I™ll see if I can dig out
the exact text of the message.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
6:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yep sorry, didn't intend to say it wasn't
a good idea. At some point the list will catch up and my post that says that
will show up. :)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
8:39 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Dozen other reasons to run it. Not running sysprep is just a bad idea.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Wednesday, January 18, 2006
8:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Well not really. The important SID
in question is the Domain SID and that isn't duped.
The domain doesn't care about the machine SID. It is still good
practice to newsid the machines though.
If the accounts are disappearing it is one
of two things
1. Someone is deleting it.
2. During the join process something fails
and the computer deletes the object out. I don't recall the details of this but
I do recall hearing it happen. It happens right after the failed join though,
you don't have to wait for it. I have also heard other people who don't
have enough rights report the account being disabled instead of deleted. I
never verified personally either.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Brian Desmond
Sent: Wednesday, January 18, 2006
6:50 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
NO NO NO NO NO BAD BAD BAD
You have to use sysprep. You™re getting duplicate SIDs here “
bad.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, January 18, 2006
5:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary, Brian,
I do not use Sysprep on my images and have
yet to come across any problems, but there may be one big difference with my
images, before I ghost them or create the image I put the said machine into a
workgroup and then create image. After I have imaged a computer I log on
and change the Computer Name reboot and then join the domain with the new
computer name, should I be using Sysprep?
And Brenda I have experienced your problem
but I have never noticed the accounts actually being out of AD, anyways most
times for me a simple reboot works although I have had to actually ghost
computers in order to rejoin the domain because I do not have any local
accounts active on my computers in the school, makes it a little safer J but with that comes more
work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Wednesday, January 18, 2006
12:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Gary-
Are you implying you don™t sysprep your images?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Garyphold
Sent: Wednesday, January 18, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Brenda,
FWIW: It happens to me when I clone
a workstation then try to join that workstation to the domain in order to
change the computer name. AD sees 2 machines with the same name, gives me
a notification and lets the 2nd one in. Then when the original machine
with that name logs in next time, it isn't seen on the network. Then I
have to do the same thing you did - with the original machine. Then all
is well again. Don't know if that will help, but it might narrow
down the problem some.
Gary
Gary Polvinale
Denton ATD
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
Yes,
their computer account in AD is actually gone.
Thanks,
Brenda
Brenda
Casey
Network Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
11:14 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD
computer accounts being removed
When you say "lose their
account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brenda Casey
Sent: Wednesday, January 18, 2006
10:42 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] AD computer
accounts being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to do.
Has
anyone else had this experience and how have you fixed it?
Thanks,
Brenda | | | |
| GuidoG
Posts:56
| | 01/22/2006 8:31 AM |
| Hey Wook - though I agree it's a bad idea to do this, I've
always thought DCPROMOing a server to a new domain created a NEW domain SID,
which is totally unrelated to the server's SID. Or was it the other
way around (un-promoting a DC creates a new SID for the server...). Hmm
probalby the latter from what you write.
Would be good if you can find the error-message (saves me
time in testing this :-)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lee,
WookSent: Freitag, 20. Januar 2006 08:16To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
You can have collisions
between a domain controller SID and a member server
SID when two machines have
duplicate SIDs and one is DCPROMO™d and the other is joined to the new domain.
The error messages that are logged say something to the effect that the domain
and the member server SIDs conflict. Darn confusing when you see it for the
first time. I™ll see if I can dig out the exact text of the
message.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, January 18, 2006 6:36 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yep sorry, didn't
intend to say it wasn't a good idea. At some point the list will catch up and my
post that says that will show up. :)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian
DesmondSent: Wednesday,
January 18,
2006 8:39
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Dozen
other reasons to run it. Not running sysprep is just a bad idea.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, January 18, 2006 8:11 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well not really. The
important SID in question is the Domain
SID and that isn't duped. The
domain doesn't care about the machine SID. It is still good practice
to newsid the machines though.
If the accounts are
disappearing it is one of two things
1. Someone is deleting
it.
2. During the join
process something fails and the computer deletes the object out. I don't recall
the details of this but I do recall hearing it happen. It happens right after
the failed join though, you don't have to wait for it. I have also heard
other people who don't have enough rights report the account being disabled
instead of deleted. I never verified personally either.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
NO
NO NO NO NO BAD BAD BAD
You
have to use sysprep. You™re getting duplicate SIDs here “ bad.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday,
January 18,
2006 5:44
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary,
Brian,
I do not use Sysprep on
my images and have yet to come across any problems, but there may be one big
difference with my images, before I ghost them or create the image I put the
said machine into a workgroup and then create image. After I have imaged a
computer I log on and change the Computer Name reboot and then join the domain
with the new computer name, should I be using Sysprep?
And Brenda I have
experienced your problem but I have never noticed the accounts actually being
out of AD, anyways most times for me a simple reboot works although I have had
to actually ghost computers in order to rejoin the domain because I do not have
any local accounts active on my computers in the school, makes it a little safer
J but with that comes
more work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary-
Are
you implying you don™t sysprep your images?
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Brenda,
FWIW: It happens
to me when I clone a workstation then try to join that workstation to the domain
in order to change the computer name. AD sees 2 machines with the same
name, gives me a notification and lets the 2nd one in. Then when the
original machine with that name logs in next time, it isn't seen on the
network. Then I have to do the same thing you did - with the original
machine. Then all is well again. Don't know if that will
help, but it might narrow down the problem
some.
Gary
Gary
Polvinale
Denton
ATD
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday,
January 18,
2006 2:24
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually
gone.
Thanks,
Brenda
Brenda
CaseyNetwork
Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Wednesday,
January 18,
2006 11:14
AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
When you say "lose
their account", do you mean the computer object in AD disappears? Or something
else?
-g
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday,
January 18,
2006 10:42
AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] AD computer accounts
being removed
Occasionally
computers will lose their account in Active Directory for no apparent
reason. Sometimes it is a computer that has just joined the domain, while
other times the machine has been a member of the domain for 2 years. The
computer can only be logged on by a local account (not a domain account).
To remedy this, the computer has to be disjoined from the domain, join a
workgroup, then join the domain again. As I am sure you all are aware,
this is not only time consuming, but very inappropriate to have to
do.
Has
anyone else had this experience and how have you fixed
it?
Thanks,
Brenda | | | |
| listmail
Posts:426
| | 01/23/2006 4:01 AM |
| > who would even think of
ghosting a Server
Heh. Quite a few people actually.
:)
> I have yet to hear anything worth while on why I
should be running sysprep on a workstation in a Domain Environment
The main one in my mind is simply a support thing with
MS. I agree with how bad the info is out there on why people think it needs to
be done. It is easier to do it as you go then to actually really hit a real
problem that does impact you that has you running around your environment doing
it for all machines. So while I myself have mixed feelings on how much it is
needed you will NEVER hear me tell a customer or anyone else they shouldn't do
it.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron
VisserSent: Friday, January 20, 2006 5:24 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
I was referring to
workstations not Servers, who would even think of ghosting a Server? And here is
the bottom line I have been ghosting workstations for several years now at this
site without using Sysprep or anything like it, and it has caused me no
problems, I have yet to hear anything worth while on why I should be running
sysprep on a workstation in a Domain Environment where local login is not
prohibited other than some BS stuff from Wininternals or some other mag like
that. So put your rolled up newspapers away ( unless of course your going to be
using it on yourself ) and give me something worth while or concrete as to why I
should be running Sysprep in the mentioned environment other than NO NO NO NO
BAD BAD BAD BAD you must run sysprep.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian
DesmondSent: Friday, January
20, 2006 11:37 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Tell
me about it. We had a vendor roll a server into every site to do as they pleased
with. Didn™t get sysprep™ed. Many sites decided to dcpromo theirs up. Of course
every independent domain has to trust me, and you can™t trust more than one
domain with the same sid¦
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Lee, WookSent: Friday, January 20, 2006 2:16
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
You can have collisions
between a domain controller SID and a member server
SID when two machines have
duplicate SIDs and one is DCPROMO™d and the other is joined to the new domain.
The error messages that are logged say something to the effect that the domain
and the member server SIDs conflict. Darn confusing when you see it for the
first time. I™ll see if I can dig out the exact text of the
message.
Wook
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, January 18, 2006 6:36 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yep sorry, didn't
intend to say it wasn't a good idea. At some point the list will catch up and my
post that says that will show up. :)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 8:39 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Dozen
other reasons to run it. Not running sysprep is just a bad idea.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Wednesday, January 18, 2006 8:11 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Well not really. The
important SID in question is the Domain
SID and that isn't duped. The
domain doesn't care about the machine SID. It is still good practice
to newsid the machines though.
If the accounts are
disappearing it is one of two things
1. Someone is deleting
it.
2. During the join
process something fails and the computer deletes the object out. I don't recall
the details of this but I do recall hearing it happen. It happens right after
the failed join though, you don't have to wait for it. I have also heard
other people who don't have enough rights report the account being disabled
instead of deleted. I never verified personally either.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 6:50 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
NO
NO NO NO NO BAD BAD BAD
You
have to use sysprep. You™re getting duplicate SIDs here “ bad.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Aaron
VisserSent: Wednesday,
January 18,
2006 5:44
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary,
Brian,
I do not use Sysprep on
my images and have yet to come across any problems, but there may be one big
difference with my images, before I ghost them or create the image I put the
said machine into a workgroup and then create image. After I have imaged a
computer I log on and change the Computer Name reboot and then join the domain
with the new computer name, should I be using Sysprep?
And Brenda I have
experienced your problem but I have never noticed the accounts actually being
out of AD, anyways most times for me a simple reboot works although I have had
to actually ghost computers in order to rejoin the domain because I do not have
any local accounts active on my computers in the school, makes it a little safer
J but with that comes
more work L
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Gary-
Are
you implying you don™t sysprep your images?
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Brenda,
FWIW: It happens
to me when I clone a workstation then try to join that workstation to the domain
in order to change the computer name. AD sees 2 machines with the same
name, gives me a notification and lets the 2nd one in. Then when the
original machine with that name logs in next time, it isn't seen on the
network. Then I have to do the same thing you did - with the original
machine. Then all is well again. Don't know if that will
help, but it might narrow down the problem
some.
Gary
Gary
Polvinale
Denton
ATD
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Brenda
CaseySent: Wednesday,
January 18,
2006 2:24
PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD computer
accounts being removed
Yes,
their computer account in AD is actually
gone.
Thanks,
Brenda
Brenda
CaseyNetwork
Manager
Billings
Public Schools
caseyb@xxxxxxxxxxxxxxxxxx
406-247-3792
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Wednesd |
|
|