Solved

WSUS Duplicate SIDs

Posted on 2014-03-14
6
1,545 Views
Last Modified: 2016-02-20
Guys, I've put numerous posts out regarding this and kind of need this explaining as Google posts are confusing me.

We have 100 PCs on the domain and due to previous images being used and sysprep not being either run or completed it seems that we have around 700 PCs with duplicate PC SIDs.

I understand that there is a PC SID and a different SUS SID, I used PSGetSID to give me the PC SID and dropped into the registry to find the SUS SID.

Both of these are different, however, the PC SID on my PC is a duplicate picked up by LANSweeper. I have run the 'duplicate SID' .bat file which I believe has changed the SUS SID but I need to know the following.

My PC SID is the same (duplicated with the other 699 others). but I'm sure my SUS SID is different now I've changed it (running the duplicate script).

Will my WSUS server use the SUS SID to identify the nodes, and if so is the SUS SID tagged to the PC SID? If it is tagged will a duplicate PC SID impact the new SUS SID?

Hope this makes sense as I don't want to throw the duplicate SID script over GPO to 700 PCs if it isn't going to work.
0
Comment
Question by:CTCRM
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39930398
It can vary depending on the version of WSUS server and client you use.
If it's remotely up to date, it'd be using WSUS Server 3.0 NOT 2.0.
If you use the WSUS Client that comes with WSUS server 3.0, you're better off as well.

If you are up to date (3.0) with WSUS versions:

...Then SUsClientID is what is important.  That's because with the later (3.0) releases of WSUS, there a "Susclientidvalidation" registry who's registry data is based on your PC's hardware. If your hardware changes (i.e. a machine has been cloned), the SusClientIDvalidation doesn't match up and WSUS knows the machine was cloned, and knows to generate the machine a new unique SusClientID and new Susclientidvalidation. Got it?

Although, I wouldn't want all my PCs to have the same machine SID, it doesn't have to be unique for WSUS to work properly.

Here's a clip from M$:

"We have added an automatic feature to the Windows Update Agent that is installed on WSUS client computers. This feature can help address this duplicate-SusClientID issue. The feature provides a solution that is added to the client-side Windows Update Agent starting with version 7.0.6000.374. (This version is the client version that was included with WSUS 3.0.)

This solution uses a hardware validation routine to determine whether the current client hardware has changed since the SUSClientID value was created. (This hardware includes network adapters and hard disks.)

The hardware validation routine is stored as a binary large object in the Susclientidvalidation registry key at the same location as the Susclientid registry value. If the hardware validation routine indicates that all the hardware has changed, a new SusClientID value is generated by the client. "
0
 
LVL 2

Author Comment

by:CTCRM
ID: 39933875
I'm currently running WSUS 3.0 on a 2k8 R2 box which should be quite up to date.

So is it safe to say that if I run the duplicate sid .bat file that stops WSUS Client services, generates a new susclient sid and then restarts the services over GPO to all my troubled clients this would resolve the issue?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39934137
I'm fairly certain that would work fine. While I usually sysprep my cloned machines to wipe the SID, some are flat out clones with the same SID and WSUS is fine after re-generating the susclient id.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 47

Expert Comment

by:dstewartjr
ID: 39934316
WSUS SID and PC SID have nothing to do with each other!!!
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 300 total points
ID: 39934472
We already established that WSUS SID and PC SID have nothing to do with each-other,
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 39936385
Thanks, I'm going to incorporate the duplicatesid.bat file into a GPO login script for the 700 troubled PCs, then re-discover clients from the WSUS server.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now