Solved

WSUS Duplicate SIDs

Posted on 2014-03-14
6
1,620 Views
Last Modified: 2016-02-20
Guys, I've put numerous posts out regarding this and kind of need this explaining as Google posts are confusing me.

We have 100 PCs on the domain and due to previous images being used and sysprep not being either run or completed it seems that we have around 700 PCs with duplicate PC SIDs.

I understand that there is a PC SID and a different SUS SID, I used PSGetSID to give me the PC SID and dropped into the registry to find the SUS SID.

Both of these are different, however, the PC SID on my PC is a duplicate picked up by LANSweeper. I have run the 'duplicate SID' .bat file which I believe has changed the SUS SID but I need to know the following.

My PC SID is the same (duplicated with the other 699 others). but I'm sure my SUS SID is different now I've changed it (running the duplicate script).

Will my WSUS server use the SUS SID to identify the nodes, and if so is the SUS SID tagged to the PC SID? If it is tagged will a duplicate PC SID impact the new SUS SID?

Hope this makes sense as I don't want to throw the duplicate SID script over GPO to 700 PCs if it isn't going to work.
0
Comment
Question by:CTCRM
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39930398
It can vary depending on the version of WSUS server and client you use.
If it's remotely up to date, it'd be using WSUS Server 3.0 NOT 2.0.
If you use the WSUS Client that comes with WSUS server 3.0, you're better off as well.

If you are up to date (3.0) with WSUS versions:

...Then SUsClientID is what is important.  That's because with the later (3.0) releases of WSUS, there a "Susclientidvalidation" registry who's registry data is based on your PC's hardware. If your hardware changes (i.e. a machine has been cloned), the SusClientIDvalidation doesn't match up and WSUS knows the machine was cloned, and knows to generate the machine a new unique SusClientID and new Susclientidvalidation. Got it?

Although, I wouldn't want all my PCs to have the same machine SID, it doesn't have to be unique for WSUS to work properly.

Here's a clip from M$:

"We have added an automatic feature to the Windows Update Agent that is installed on WSUS client computers. This feature can help address this duplicate-SusClientID issue. The feature provides a solution that is added to the client-side Windows Update Agent starting with version 7.0.6000.374. (This version is the client version that was included with WSUS 3.0.)

This solution uses a hardware validation routine to determine whether the current client hardware has changed since the SUSClientID value was created. (This hardware includes network adapters and hard disks.)

The hardware validation routine is stored as a binary large object in the Susclientidvalidation registry key at the same location as the Susclientid registry value. If the hardware validation routine indicates that all the hardware has changed, a new SusClientID value is generated by the client. "
0
 
LVL 2

Author Comment

by:CTCRM
ID: 39933875
I'm currently running WSUS 3.0 on a 2k8 R2 box which should be quite up to date.

So is it safe to say that if I run the duplicate sid .bat file that stops WSUS Client services, generates a new susclient sid and then restarts the services over GPO to all my troubled clients this would resolve the issue?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39934137
I'm fairly certain that would work fine. While I usually sysprep my cloned machines to wipe the SID, some are flat out clones with the same SID and WSUS is fine after re-generating the susclient id.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39934316
WSUS SID and PC SID have nothing to do with each other!!!
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 300 total points
ID: 39934472
We already established that WSUS SID and PC SID have nothing to do with each-other,
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 39936385
Thanks, I'm going to incorporate the duplicatesid.bat file into a GPO login script for the 700 troubled PCs, then re-discover clients from the WSUS server.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question