Solved

WSUS Duplicate SIDs

Posted on 2014-03-14
6
1,965 Views
Last Modified: 2016-02-20
Guys, I've put numerous posts out regarding this and kind of need this explaining as Google posts are confusing me.

We have 100 PCs on the domain and due to previous images being used and sysprep not being either run or completed it seems that we have around 700 PCs with duplicate PC SIDs.

I understand that there is a PC SID and a different SUS SID, I used PSGetSID to give me the PC SID and dropped into the registry to find the SUS SID.

Both of these are different, however, the PC SID on my PC is a duplicate picked up by LANSweeper. I have run the 'duplicate SID' .bat file which I believe has changed the SUS SID but I need to know the following.

My PC SID is the same (duplicated with the other 699 others). but I'm sure my SUS SID is different now I've changed it (running the duplicate script).

Will my WSUS server use the SUS SID to identify the nodes, and if so is the SUS SID tagged to the PC SID? If it is tagged will a duplicate PC SID impact the new SUS SID?

Hope this makes sense as I don't want to throw the duplicate SID script over GPO to 700 PCs if it isn't going to work.
0
Comment
Question by:CTCRM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39930398
It can vary depending on the version of WSUS server and client you use.
If it's remotely up to date, it'd be using WSUS Server 3.0 NOT 2.0.
If you use the WSUS Client that comes with WSUS server 3.0, you're better off as well.

If you are up to date (3.0) with WSUS versions:

...Then SUsClientID is what is important.  That's because with the later (3.0) releases of WSUS, there a "Susclientidvalidation" registry who's registry data is based on your PC's hardware. If your hardware changes (i.e. a machine has been cloned), the SusClientIDvalidation doesn't match up and WSUS knows the machine was cloned, and knows to generate the machine a new unique SusClientID and new Susclientidvalidation. Got it?

Although, I wouldn't want all my PCs to have the same machine SID, it doesn't have to be unique for WSUS to work properly.

Here's a clip from M$:

"We have added an automatic feature to the Windows Update Agent that is installed on WSUS client computers. This feature can help address this duplicate-SusClientID issue. The feature provides a solution that is added to the client-side Windows Update Agent starting with version 7.0.6000.374. (This version is the client version that was included with WSUS 3.0.)

This solution uses a hardware validation routine to determine whether the current client hardware has changed since the SUSClientID value was created. (This hardware includes network adapters and hard disks.)

The hardware validation routine is stored as a binary large object in the Susclientidvalidation registry key at the same location as the Susclientid registry value. If the hardware validation routine indicates that all the hardware has changed, a new SusClientID value is generated by the client. "
0
 
LVL 2

Author Comment

by:CTCRM
ID: 39933875
I'm currently running WSUS 3.0 on a 2k8 R2 box which should be quite up to date.

So is it safe to say that if I run the duplicate sid .bat file that stops WSUS Client services, generates a new susclient sid and then restarts the services over GPO to all my troubled clients this would resolve the issue?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39934137
I'm fairly certain that would work fine. While I usually sysprep my cloned machines to wipe the SID, some are flat out clones with the same SID and WSUS is fine after re-generating the susclient id.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39934316
WSUS SID and PC SID have nothing to do with each other!!!
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 300 total points
ID: 39934472
We already established that WSUS SID and PC SID have nothing to do with each-other,
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 39936385
Thanks, I'm going to incorporate the duplicatesid.bat file into a GPO login script for the 700 troubled PCs, then re-discover clients from the WSUS server.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question