Solved

WSUS Duplicate SIDs

Posted on 2014-03-14
6
1,590 Views
Last Modified: 2016-02-20
Guys, I've put numerous posts out regarding this and kind of need this explaining as Google posts are confusing me.

We have 100 PCs on the domain and due to previous images being used and sysprep not being either run or completed it seems that we have around 700 PCs with duplicate PC SIDs.

I understand that there is a PC SID and a different SUS SID, I used PSGetSID to give me the PC SID and dropped into the registry to find the SUS SID.

Both of these are different, however, the PC SID on my PC is a duplicate picked up by LANSweeper. I have run the 'duplicate SID' .bat file which I believe has changed the SUS SID but I need to know the following.

My PC SID is the same (duplicated with the other 699 others). but I'm sure my SUS SID is different now I've changed it (running the duplicate script).

Will my WSUS server use the SUS SID to identify the nodes, and if so is the SUS SID tagged to the PC SID? If it is tagged will a duplicate PC SID impact the new SUS SID?

Hope this makes sense as I don't want to throw the duplicate SID script over GPO to 700 PCs if it isn't going to work.
0
Comment
Question by:CTCRM
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39930398
It can vary depending on the version of WSUS server and client you use.
If it's remotely up to date, it'd be using WSUS Server 3.0 NOT 2.0.
If you use the WSUS Client that comes with WSUS server 3.0, you're better off as well.

If you are up to date (3.0) with WSUS versions:

...Then SUsClientID is what is important.  That's because with the later (3.0) releases of WSUS, there a "Susclientidvalidation" registry who's registry data is based on your PC's hardware. If your hardware changes (i.e. a machine has been cloned), the SusClientIDvalidation doesn't match up and WSUS knows the machine was cloned, and knows to generate the machine a new unique SusClientID and new Susclientidvalidation. Got it?

Although, I wouldn't want all my PCs to have the same machine SID, it doesn't have to be unique for WSUS to work properly.

Here's a clip from M$:

"We have added an automatic feature to the Windows Update Agent that is installed on WSUS client computers. This feature can help address this duplicate-SusClientID issue. The feature provides a solution that is added to the client-side Windows Update Agent starting with version 7.0.6000.374. (This version is the client version that was included with WSUS 3.0.)

This solution uses a hardware validation routine to determine whether the current client hardware has changed since the SUSClientID value was created. (This hardware includes network adapters and hard disks.)

The hardware validation routine is stored as a binary large object in the Susclientidvalidation registry key at the same location as the Susclientid registry value. If the hardware validation routine indicates that all the hardware has changed, a new SusClientID value is generated by the client. "
0
 
LVL 2

Author Comment

by:CTCRM
ID: 39933875
I'm currently running WSUS 3.0 on a 2k8 R2 box which should be quite up to date.

So is it safe to say that if I run the duplicate sid .bat file that stops WSUS Client services, generates a new susclient sid and then restarts the services over GPO to all my troubled clients this would resolve the issue?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39934137
I'm fairly certain that would work fine. While I usually sysprep my cloned machines to wipe the SID, some are flat out clones with the same SID and WSUS is fine after re-generating the susclient id.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39934316
WSUS SID and PC SID have nothing to do with each other!!!
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 300 total points
ID: 39934472
We already established that WSUS SID and PC SID have nothing to do with each-other,
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 39936385
Thanks, I'm going to incorporate the duplicatesid.bat file into a GPO login script for the 700 troubled PCs, then re-discover clients from the WSUS server.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now