Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Computer Account in Active Directory

Posted on 2008-10-16
Medium Priority
Last Modified: 2011-10-03
We've been seing alot of strange issue in our domain with two of our servers one named server1 and the other server2.  This all came to light when one of the computers server1 was showing up in our WSUS console.  I manauly ran wuaclt /detectnow to see if it would resolve the issue.  I checked the windows update log and it indicates its contacting the correct wsus server but still won't show up in wsus.  I then decided to disjoing and rejoing the servers to see if there was some sort of AD computers.  server2 had no problem.  server1 however disjoined and rejoined without a problem.  However the computer account never shows up ion active directory.  Normal i would expect that I wouldn't be able to log on and receive  amessage about the computer account missing or the dc is down but I was able to log on without a problem.  Any idea on this?
Question by:georgedschneider
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 31

Expert Comment

ID: 22731428
Sometimes things end up where we don't expect them to be.  Here are a few ideas.

First thing I would check would be 'gpresult > c:\temp\gpresult.log' and look at that - might want to compare it to server2 to see what differences there are.

Try searching in ADUC for computers and remote installation servers and you can also try a custom search and select exchange server, and make sure you are searching the entire directory not just the domain.
Also make sure you are getting the name of the box correctly - I am assuming server1 is a posting alias.  Make sure to be careful of 0/O, 1/I/l, etc. I find it easiest to copy/paste from the system properties/computer name tab into notepad as its normal font usually jumps out well enough.  If you are able to search ADUC from that box with the issues you are having, then you could paste it into there directly.

I would also take a look into DNS and make sure that it is showing up properly there.

You can also try doing 'gpudate /force' and see if that might help out.
LVL 31

Expert Comment

ID: 22731487
if that doesn't work, you could get a lot more information with adding the /V switch to the gpresult - normally you don't need this much info, but just in case you do I'm throwing it out there.   With normal gpresult you could get away without piping it to a log file as I included in my previous post, but with /V you have to as it will overflow your cmd box buffer.

Author Comment

ID: 22733743
The starngest thing is it finally showed up and I moved the computer account from computers to the servers OU where all servers are located except for DC's. I ran ran gpupdate and then gpresults to see what was pllied and everything seems correct.  I then ran wuauclt /detetcnow to force reporting in to the wsus server.  Here's where the strange issues begin:

In the wsus consolse there seems to be something strange betwen server1 and server2.  The actual names are the smae with the only difference is the 1 and 2.  At first server1 was appearing.  Now after running wuauclt /detectnow only server 2 is appearing.  This is very starnge.  Any idea on why one server will appear and not ht other?   And occassionaly they will flip flop which one is appearing is the wsus console.
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

LVL 31

Expert Comment

ID: 22735129
These aren't new servers, correct?  Like two built from the same image?
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 22735238
Look at the following reg key on 2 machines and see if they match. See if the susclientid numbers are the same.


run this in a bat file (you can backup the reg key manually first if you want)

@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow

Author Comment

ID: 22735840
I assume the susid is some sort of id for wsus which makes sens since I created the second server based off a complet ebackup of the first server including the system state.  I then changed the  name which wouldn't have changed the susid.  What are /v and /f switches do?
LVL 31

Expert Comment

ID: 22769546
Sorry, was out for a few days...  /v precedes the ValueName. /f forces the deletion without propmt
Whenever you use a base image to make another, it is best to use sysprep to prevent these issues.  In a best case scenario, you would run sysprep and have it power off the box, then you could boot up into an imaging program (e.g. Ghost) or some other offline backup type prior to loading windows.  This would ensure that new security identifiers, machine names, etc. are generated prior to the system coming online.

You can get sysprep.exe from the deployment tools package for whatever OS you need to sysprep.  Generally speaking whatever the newest one is will support the older ones as well, so you shouldn't have to keep a number of versions around.  Whenever a new service pack comes out, just google it, e.g. 'sysprep windows server 2003 service pack 2 download' and you should be in business:

Here are some general 'how to' type links:

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question