Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Reuse a computer object in Active Directory
Posted on 2012-12-27
Because of the way a certain program functions, when replacing a PC with this program installed we name the new PC the same as the old PC.
We image and build a replacement PC with the same name as the old machine but with and "R" appended to the name so we don't have issues with duplicate names, and leave it off the domain.
To put the new PC in place we remove the old PC from the domain and delete the object from AD, wait an hour for replication to take place, then rename the new machine to the same name as the old one and join it to the domain, reboot, logon, run "set" from a command prompt and see what the logonserver is, connect to that DC and see if the computer is in the default "computers" container, or the OU that the old PC was in. If it's in the default computers container all is good. If it's in the OU that the old PC was in then it's picked up the old computer object and problems will eventually arise. Usually the objects "Computer name (pre-Windows 2000):" will have "(duplicate)" in the name or just random garbage. Eventually the computer will lose it's trust to the domain and users will be unable to logon, but this is not until after various other trust issues between programs and files arise.
The only way we've found to be certain we don't run into issues is to keep removing the new PC from the domain, deleting the object from the DC it's showing up on in the old PC OU and rejoining to the domain. This continues until it shows in the default computers OU. The most we've had to do this is 4 times (remove/join to domain).
This is a large organization with hundreds of locations across the country and hundreds of DC's.
My question is....is there an easier way to do this, or is it possible to reuse the same computer object? Disassociate the old computer and associate the new one?
We are currently at a Server 2003 functional level.
Thanks!
We image and build a replacement PC with the same name as the old machine but with and "R" appended to the name so we don't have issues with duplicate names, and leave it off the domain.
To put the new PC in place we remove the old PC from the domain and delete the object from AD, wait an hour for replication to take place, then rename the new machine to the same name as the old one and join it to the domain, reboot, logon, run "set" from a command prompt and see what the logonserver is, connect to that DC and see if the computer is in the default "computers" container, or the OU that the old PC was in. If it's in the default computers container all is good. If it's in the OU that the old PC was in then it's picked up the old computer object and problems will eventually arise. Usually the objects "Computer name (pre-Windows 2000):" will have "(duplicate)" in the name or just random garbage. Eventually the computer will lose it's trust to the domain and users will be unable to logon, but this is not until after various other trust issues between programs and files arise.
The only way we've found to be certain we don't run into issues is to keep removing the new PC from the domain, deleting the object from the DC it's showing up on in the old PC OU and rejoining to the domain. This continues until it shows in the default computers OU. The most we've had to do this is 4 times (remove/join to domain).
This is a large organization with hundreds of locations across the country and hundreds of DC's.
My question is....is there an easier way to do this, or is it possible to reuse the same computer object? Disassociate the old computer and associate the new one?
We are currently at a Server 2003 functional level.
Thanks!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
5 Comments
Right click the computer object in Active Directory Users and Computers, Reset Account. Now the computer account can be re-used by any computer trying to join with the same name.
Tried that. There's no telling what DC a PC in the field is going to hit when it joins the domain, so I believe resetting the account has to replicate across the DC's just like deleting the account does. If it connects up to an object on a DC that hasn't received the "reset" function yet, we run into the same problems.
If your sites are setup correctly in AD Sites and Services it will always use one in it's own site if there is one. Changes should replicate within a site in less than 60 seconds.
If there is no domain controller at your site it will use the lowest cost link from that site; under most network typologies you can guess which domain controller it will use or at least which site.
If this is not the case it might be that you don't have sites and site links setup in AD Sites and Services.
If there is no domain controller at your site it will use the lowest cost link from that site; under most network typologies you can guess which domain controller it will use or at least which site.
If this is not the case it might be that you don't have sites and site links setup in AD Sites and Services.
Hi, Well not sure exactly, You can pre-stage the computer accounts before joining the computer to domain.
http://technet.microsoft.com/en-us/library/cc770832(WS.10).aspx
And please give little bit more information like about your imaging of rejoing to the domain.
and look at this link and reply back if it helps you out.
http://technet.microsoft.com/en-us/library/cc961809.aspx
http://technet.microsoft.com/en-us/library/cc770832(WS.10).aspx
Moreover
When you join the computer to the domain, it generates a new SID. The name of the computer account that exists in AD is assigned an SID as well. As far as AD is concerned, the computer account name that already exists still exists in the real world and won't let you change which computer it is. With Windows 2003, there is no way to deploy a computer with a name that already exists in AD. You have to delete the old computer account in order to have a computer take on that name. You may be able to do it through ADSIEdit, but that's more trouble than it's worth. Windows 2008, on the other hand, will allow you to assign a GUID (the hardware's unique ID) to a computer name prior to deploying the operating system.
Thanks
http://technet.microsoft.com/en-us/library/cc770832(WS.10).aspx
And please give little bit more information like about your imaging of rejoing to the domain.
and look at this link and reply back if it helps you out.
http://technet.microsoft.com/en-us/library/cc961809.aspx
http://technet.microsoft.com/en-us/library/cc770832(WS.10).aspx
Moreover
When you join the computer to the domain, it generates a new SID. The name of the computer account that exists in AD is assigned an SID as well. As far as AD is concerned, the computer account name that already exists still exists in the real world and won't let you change which computer it is. With Windows 2003, there is no way to deploy a computer with a name that already exists in AD. You have to delete the old computer account in order to have a computer take on that name. You may be able to do it through ADSIEdit, but that's more trouble than it's worth. Windows 2008, on the other hand, will allow you to assign a GUID (the hardware's unique ID) to a computer name prior to deploying the operating system.
Thanks
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Active Directory security has been a hot topic of late, and for good reason. With
90%
of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease.
The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 13 hours left to enroll
622 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.