Active Directory Best Practices with Computer Accounts
I have read some knowledge base answers that address this, but not quite as fully as I need. So here is our situation: We have a pretty large number of computers in our domain (3000 +) and Active Directory is constantly outdated because computers are not removed from the Domain correctly. Sometimes this is because of circumstances out of our control (major system crashes) other times it is simply because it is quicker to just re-image computers without removing them from the domain.
The resultant dissarray in AD is the cause for many other applications having unreliable information (such as our antivirus database) which makes it very hard to tell if the computers not getting updates are real or simply phantom accounts long ago abandoned. I know I can do queries about when a computer was last updated, but a very large percentage of our computers are laptops which may or may not have connected within a period of time.
Currently we add computers to the network as we image them, rather than pre-populating AD with names. I need to know some information about doing it the other way. Can I setup AD so only pre-named computer accounts can be used? How do we use those accounts? Previously when we have tried it that way we have gotten errors that "The computer name already exists in the domain." How do we re-use the name when we re-image the computers? (This happens pretty frequently, especially with our mobile computers) I have seen that you can reset computer accounts, but I have never been successful in adding a new computer with a name that is already in AD on a consistant basis. Any help on how this is supposed to work would be great!
The resultant dissarray in AD is the cause for many other applications having unreliable information (such as our antivirus database) which makes it very hard to tell if the computers not getting updates are real or simply phantom accounts long ago abandoned. I know I can do queries about when a computer was last updated, but a very large percentage of our computers are laptops which may or may not have connected within a period of time.
Currently we add computers to the network as we image them, rather than pre-populating AD with names. I need to know some information about doing it the other way. Can I setup AD so only pre-named computer accounts can be used? How do we use those accounts? Previously when we have tried it that way we have gotten errors that "The computer name already exists in the domain." How do we re-use the name when we re-image the computers? (This happens pretty frequently, especially with our mobile computers) I have seen that you can reset computer accounts, but I have never been successful in adding a new computer with a name that is already in AD on a consistant basis. Any help on how this is supposed to work would be great!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No.
Reimaging a workstation before removing it from the domain isn't an issue. Reset the computer account in AD to reuse it.
Reimaging a workstation before removing it from the domain isn't an issue. Reset the computer account in AD to reuse it.
ASKER
Thanks for the guidance on the AD Best Practice. I would still like to know what could cause the issue of not being able to re-use a computer account in AD (Yes, even AFTER it has been reset) but this is good knowledge for configuration, so I will award the points based on that.
ASKER
Could this happen because the computers are not properly removed from the domain prior to being re-imaged?