VMware view golden image computer error when updating group policy
I exported a VM to an OVA then imported at our secondary site. It is a View Golden Image. I did not change the name or do any sysprep/quickprep but did power it on to make sure I could access it. I then created a snapshot and set up a View pool in that site that mirrors the production site.
I went to update group policy on the original golden image and received errors about LDAP binding and authentication to a DC (event ID 1006 error code 49 and event ID 1129 error code 1222) as well as a netlogon error (event ID 3210 which specifically mentions this error may be caused by another machine with the same name on the same network).
I then changed the name of the secondary site computer and rebooted. After waiting about an hour or so, I tried to update group policy but received the same error. I also get the errors on the primary site's computer.
Any help is much appreciated.
I went to update group policy on the original golden image and received errors about LDAP binding and authentication to a DC (event ID 1006 error code 49 and event ID 1129 error code 1222) as well as a netlogon error (event ID 3210 which specifically mentions this error may be caused by another machine with the same name on the same network).
I then changed the name of the secondary site computer and rebooted. After waiting about an hour or so, I tried to update group policy but received the same error. I also get the errors on the primary site's computer.
Any help is much appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
CLONING a machine does NOT change the Machine SID but very few things use the Machine SID! Machine SID is changed on a Sysprep which is the recommended Microsoft of deploying clones. There are some old defunct Machine SID changing apps! Adding to a Domain creates a Domain SID
I did mean domain SID.
ASKER
You are correct, Andrew - as usual. I was wondering if you would comment. It was more an issue of the computer having the same name as opposed to SID I guess. I was concerned with changing the name and have it reflect on the original but tried anyway. After some trial-and-error, and errors, I ended up unjoining, changing the name, and then rejoining. Shortly after, I was able to see both machines (original and newly named clone in AD and DNS) and successfully run gpudate. There were also no other errors in the Windows system logs.
For reference, this was supposed to be a secondary site and not turned on until needed but 1)we needed to test it and 2)we may now run it simultaneously for some users in another location so didn't initially think much about prepping the clone.
Thanks all.
For reference, this was supposed to be a secondary site and not turned on until needed but 1)we needed to test it and 2)we may now run it simultaneously for some users in another location so didn't initially think much about prepping the clone.
Thanks all.
Computers with same name will always give you issues.
for further information on the Mythical Machine SID issue, have a read of this...
https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/
this concludes that Machine SID is not used!!!!
So two computers with the same Machine SID (e.g. cloned) may not cause an issue on the Domain!
Two computers cloned with same name, or same Domain SID would cause an issue!!!
So if you change the name, add to domain, even if it had the same SID, does not cause an issue! (however, clone-ing PCs may give you other issues with WSUS which uses a clientid in the registry which cannot be changed! not the SID - when you use Sysprep it resets the client id to unique value (uuid). As well as SID.
So back to Microsofts recommendation of use Sysprep to Generalise and change the SID before rollout...but your Domain is not going to blow-up if you don't! Jus good practice!
for further information on the Mythical Machine SID issue, have a read of this...
https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/
this concludes that Machine SID is not used!!!!
So two computers with the same Machine SID (e.g. cloned) may not cause an issue on the Domain!
Two computers cloned with same name, or same Domain SID would cause an issue!!!
So if you change the name, add to domain, even if it had the same SID, does not cause an issue! (however, clone-ing PCs may give you other issues with WSUS which uses a clientid in the registry which cannot be changed! not the SID - when you use Sysprep it resets the client id to unique value (uuid). As well as SID.
So back to Microsofts recommendation of use Sysprep to Generalise and change the SID before rollout...but your Domain is not going to blow-up if you don't! Jus good practice!
ASKER
Thanks for the info Andrew. I want to verify if these machines have the same domain SID.
I spoke too soon earlier though. The original golden image is now not in AD nor DNS and running gpupdate /force gives the same errors in my original question.
At this point I think I am going to start over by cloning and prepping the original then importing into the other site. I will then rename the original and snapshot it. If all of this works, this weekend I am going to commit all the snapshots, take a fresh one, then reconfigure and recompose the View pool using the new snapshot.
Anyway... thanks as usual.
I spoke too soon earlier though. The original golden image is now not in AD nor DNS and running gpupdate /force gives the same errors in my original question.
At this point I think I am going to start over by cloning and prepping the original then importing into the other site. I will then rename the original and snapshot it. If all of this works, this weekend I am going to commit all the snapshots, take a fresh one, then reconfigure and recompose the View pool using the new snapshot.
Anyway... thanks as usual.
if your Computer is not in the Domain, it cannot update via Group Policy, which is a Domain Policy.
CLONE and then Sysprep.
CLONE and then Sysprep.
ASKER
Yeah it was in the domain yesterday and it still shows it is joined to the domain when going to properties on the computer itself. When I go to a DC, I only see the exported VM with the changed name but not the original. Really fouled this one up.
I just went through the cloning process by right-clicking the original golden image vm and choosing clone. I then went through the clone wizard and chose to customize. I am not exporting that clone as an OVA and will import to the other site then test.
If this doesn't work as planned, I will clone then sysprep in separate steps as you stated.
Thanks for helping out even though this is a closed question.
I just went through the cloning process by right-clicking the original golden image vm and choosing clone. I then went through the clone wizard and chose to customize. I am not exporting that clone as an OVA and will import to the other site then test.
If this doesn't work as planned, I will clone then sysprep in separate steps as you stated.
Thanks for helping out even though this is a closed question.
ASKER
FYI, and as you know, the clone wizard gives me the option to change SID as well as rename and join the domain. I chose to do all of those. Further, if this works, I am going to snapshot the original golden image (the machine I cloned) then I am going to rename it to the original name then look for it in AD/DNS. When it shows up, assuming it will, I will then deal with snapshots (and committing them) than reconfiguring and recomposing the view pool to which it is attached.
ASKER
So the cloned and customized new VM still has the same name as the original even though I clearly named it based on the second site's naming convention. Not sure what happened. I had to enter domain admin credentials after being prompted for an account that could be used to join the computer to the domain. Even at the end of the cloning wizard before clicking finish I verified the name was different and that it was indeed being customized.
So the cloned and customized new VM still has the same name as the original even though I clearly named it based on the second site's naming convention.
After CLONING. I would disconnect the CLONE from the network, and change it's name to something like TemplateMaster1 etc
I had to enter domain admin credentials after being prompted for an account that could be used to join the computer to the domain.
that's Normal to add to domain, or any account with Domain Privs to add to domain.
ASKER
OK but I am just not getting it I guess. I thought cloning and customizing through vSphere client would give the clone a new name, new SID, and join it to the domain so when I see it has the same name as the original, I am confused.
Cloning is a copy... It doesn't mess with the domain SID... Sometimes people want a "backup" copy, and some times it is for other purposes... If I am making a sever with a lot of customizations that I will want to use a lot, I just don't join it to the domain until after the cloning... I usually have to go into the machine anyway to set the IP address if it is for a different subnet anyway...
OK but I am just not getting it I guess. I thought cloning and customizing through vSphere client would give the clone a new name, new SID, and join it to the domain so when I see it has the same name as the original, I am confused.
Now you have mentioned the context in which you are using the CLONE function in vCenter Server, and what you have stated could be or is correct, if you use the OS Customization Specification, which is the end part of the CLONE function, it can change the name of the VM, and also Sysprep (only if you select the Generalize SID option!!!! this does Sysprep
BUT I've got some bad news for you.....
What is the OS ?
ASKER
It is Windows 7 pro...
Okay, OS Customisation should work, but it's unreliable, and we complete it manually.
Your Golden Master should never be domain joined.
Your Golden Master should never be domain joined.
ASKER
FYI I did choose to customize and ticked a check box to assign a new SID. Again, gave it a new name and entered credentials to join to the domain. This was all done after right-clicking a VM and choosing 'Clone' then going through the wizard.
ASKER
Got it. I did not know the vmware view golden master should not be joined to the domain. I have always joined them to the domain but again I didn't know.
ASKER
my golden master is configured with several group policies. If it isn't joined then it wouldn't get those and then the VMs deployed by using it and its snapshot would not be joined to the domain either or have the required group policies, correct? OR, is joining to the domain the deployed VMs based on the golden master done during the pool setup wizard? I am more confused now ;-)
ASKER
oh yeah, THANKS to both of you for still replying at this point
Policies are applied to a computer when they start-up (in the domain).
You can of course test a computer gets the correct policy.
But technically when it's sysprepped it's been dropped from the domain, and then added back to the domain.
Your pool settings, rename it and join it to the domain, and quickprep or sysprep it!
the moment it joins the domains and starts, Machine Policies are applied, user logs in and User policies are applied.
You can of course test a computer gets the correct policy.
But technically when it's sysprepped it's been dropped from the domain, and then added back to the domain.
Your pool settings, rename it and join it to the domain, and quickprep or sysprep it!
the moment it joins the domains and starts, Machine Policies are applied, user logs in and User policies are applied.
ASKER
OK, got it. I am aware that that policies will be applied as you mentioned but didn't think of it that way in a VDI environment (even though it's just like any other computer environment). I am going to mess around with it and then fully test/implement it this weekend.
Thanks again!
Thanks again!
ASKER