We help IT Professionals succeed at work.

Clients Dropped From Domain

dtchelpdesk2009
on
Medium Priority
231 Views
Last Modified: 2013-12-04
Recently we have had computers when we come in that are no longer in the domain. I beleive that there may be a problem with a patch being deployed via Altiris patch management but cannot verify that. I have never seen this behavior before. I experienced it on my own machine and approx 60 others on the network. We are able to rejoin the computers to the domain and then some of them have dropped out a second or third time. We beleive it may be a problem with XP SP3 since there are reports of unusual problems associated with that package. Does anyone know what event id is associated with a computer joining a workgroup? Domain? These are the patches that were deployed on the bulk of the machines we had the problem with.
Windows XP Hotfix KB938464 was installed.
Windows XP Hotfix KB950759 was installed.
Windows XP Hotfix KB950762 was installed.
Windows XP Hotfix KB950974 was installed.
Windows XP Hotfix KB951066 was installed.
Windows XP Hotfix KB951376 was installed.
Windows XP Hotfix KB951376-v2 was installed.
Windows XP Hotfix KB951698 was installed.
Windows XP Hotfix KB951748 was installed.
Windows XP Hotfix KB952287 was installed.
Windows XP Hotfix KB952954 was installed.
Windows XP Hotfix KB953155 was installed.
Windows XP Hotfix KB953838 was installed.
Windows XP Hotfix KB954211 was installed.
Windows XP Hotfix KB954600 was installed.
Windows XP Hotfix KB955069 was installed.
Windows XP Hotfix KB956390 was installed.
Windows XP Hotfix KB956802 was installed.
Windows XP Hotfix KB956803 was installed.
Windows XP Hotfix KB956841 was installed.
Windows XP Hotfix KB957095 was installed.
Windows XP Hotfix KB957097 was installed.
Windows XP Hotfix KB958215 was installed.
Windows XP Hotfix KB958644 was installed.
Windows XP Hotfix KB958687 was installed.
Windows XP Hotfix KB959252 was installed.
Windows XP Hotfix KB960714 was installed.
Windows XP Service Pack 3 was installed
Comment
Watch Question

On the workstation, you'll see event ID 3260 when you join the domain (http://www.eventid.net/display.asp?eventid=3260&source=).  

Do you see any errors/warnings in your event logs around the time the machines drop out of the domain?
Adam LeinssSystems Administrator
CERTIFIED EXPERT

Commented:
We just pushed out SP3 to over 900 XP workstations, so I doubt its SP3.  Sounds more like a name collision issue.  If you look in the event logs, is anything be generated?
I agree with aleinss on the SP3 point- we've deployed it sporadically and haven't had any issues.

Author

Commented:
Thank you for the ID we are looking into the problem and will post back. If anyone has further suggestions please post. I am not seeing anything in the event logs out of the norm. We are going to build a test system and see if we can break it.
Adam LeinssSystems Administrator
CERTIFIED EXPERT

Commented:
Maybe turn on audit logging on your domain controllers.  If some little trouble maker is resetting the computer accounts in ADUC that could cause workstations to lose their domain memberships.
Review who has access to join/unjoin PCs from your domain.  I never heard of such a problem on such a wide scale.
Also, all workstations have been syspreped, ie. have their own unique GUID?
Another thought:  Try patching a few workstations manually and see if you have any issues.  My gut tells me this is related to Altiris- this will help eliminate the patches themselves as the issue.

Also, after you patch via Altiris, are the computer accounts for these machines still in Active Directory?  The reason I ask is because it's very possible that you may need to only reset the computer accounts in AD (i.e., the computer password stored in AD and the one stored on the workstations has gotten out of sync and AD can no longer authenticate it).

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thank you all for your time.

aleinss:
     We have requested the logs from the DC's but will not have them until sometime tomorrow. Yes these machines have been on the network for a long time and have all been syspreped.
snoopfrogg:
We are testing the patches one at a time with a reboot after to see if we can determine if it is a bad patch being deployed through Altiris. The accounts are still in AD and we can re-join them without resetting the accounts.

Author

Commented:
We determined that the issue is due to altiris deploying the wrong agent to the computers. The vista altiris client was improperly deployed to the xp boxes and was causing them to be removed from the domain.

Author

Commented:
I selected your solution because the problem was with altiris. Not any particular patch. Thanks for your help
Adam LeinssSystems Administrator
CERTIFIED EXPERT

Commented:
Ouch, that's a nasty bug in their product!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.