Announcement

Collapse
No announcement yet.

Imaged machines not sysprepped, Active Directory behaving sketchy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Imaged machines not sysprepped, Active Directory behaving sketchy

    Hello all!

    I know of a place that has a common store of images for the various hardware platforms that they use for client machines. There's dozens of different images that have been collected over the years. Frighteningly, sysprep was never used for any of these images. Think about that when you realize that those images have been deployed hundreds of times over the years. (Fortunately, I don't think servers are deployed via images but rather built from the ground up). When I first started doing some work at this place (about 200 - 250 computers), I was surprised that Active Directory even worked. However, I didn't know much about AD then (in reality, I still don't know a whole lot... but at least it's more than what I used to know) and wasn't certain how problems caused by this would manifest themselves.

    Here's the problem: AD behaves a bit quirky at times, mostly in the area of applying GPOs. It seems that in many instances a policy will be set but it won't apply consistently. Some computers will have the policy applied but others will not. A few other quirks remain as well.

    Here's the question: What could be done to rectify a situation like this? What would the "battle plan" look like? I'm guess that there would be alot of work involved. Of course, creating all new images that have been properly sysprepped is a must. But then how would new GUIDs be created for the existing fleet of computers? I also fear that all computer objects in AD may have to be deleted and then re created by rejoining the machines to the domain.

    Any advice in this matter will be appreciated.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

  • #2
    Re: Imaged machines not sysprepped, Active Directory behaving sketchy

    When you add a computer to a domain the SID is changed. So that's not your problem.

    If you want you can run Sysprep on a live machine. It will remove it from the domain and regenerate the SID, then just rejoin it to the domain (new SID again).

    Comment


    • #3
      Re: Imaged machines not sysprepped, Active Directory behaving sketchy

      Originally posted by Meekrobe View Post
      When you add a computer to a domain the SID is changed. So that's not your problem.

      If you want you can run Sysprep on a live machine. It will remove it from the domain and regenerate the SID, then just rejoin it to the domain (new SID again).
      Hmmm... that rather casts a different light on my understanding of Active Directory. A Google search didn't bring up a lot of info about the creation of a SID upon joining a domain; some of what came back was corroborating. However, this little article mentioned that Windows 2K used local SIDs for alot of security purposes in a domain environment and that problems could arise in a workgroup and a domain. Here's an official Microsoft guy saying "You are going to have problems with this" althought he doesn't elaborate as to what and why. The most cogent of articles that I found was this one on Experts-Exchange. It basically said that duplicate SIDs are only a problem for local file system security and removable media. That makes sense. It also seems that duplicate local SIDs can cause problems in an environment using WSUS.

      In a sense I was hoping that it was an issue with SIDs or GUIDs because at least I can fight that which I'm aware of. Now I'm fighting a battle against I know not what.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: Imaged machines not sysprepped, Active Directory behaving sketchy

        Yea, details on this are very vauge. Its a CYA by Microsoft; sysprep your machines or else we can't support any technical issues you may have. Yes you should always sysprep but if clients slipped though is it worth the cost of fixing it when it has no affect on the domain? That's up to you.

        Comment


        • #5
          Re: Imaged machines not sysprepped, Active Directory behaving sketchy

          I had this issue at one of my sites where a colleague had not sysprepped the image. Once it had been rolled out, I demoted them to a workgroup and then rejoined to the domain. I am wondering as well whether the computer accounts could be reset in AD and then the computer demoted and rejoined to the domain. It may resove your issue with Group Policy.

          Comment


          • #6
            Re: Imaged machines not sysprepped, Active Directory behaving sketchy

            The only "real" problem with non-sysprepped machines that I've seen is with the GUID for the NIC. Other than that, the machines themselves have valid SIDS otherwise they would not have computer accounts in the domain and would not be functioning. My guess is that whoever did this renamed the imaged machines as they were deployed as well as disjoinining and rejoining the domain. Doing it this way creates a new SID and computer account. It's not best practice but it works. I would be suspicious of this as the cause of your GPO problem. If the problem really were with the SIDS and computer accounts I would think that GPO application would work all of the time or none of the time. Since your problem is intermittent I would suspect something else. I would look at gpresults, RSOP, and GPO logging to track down the problem.

            Comment


            • #7
              Re: Imaged machines not sysprepped, Active Directory behaving sketchy

              Originally posted by joeqwerty View Post
              My guess is that whoever did this renamed the imaged machines as they were deployed as well as disjoinining and rejoining the domain.
              That's exactly what goes on. The "whoever" that you mention includes me. This is what we do: If we get a new hardware platform (a recent example would be some new Lenovos) we'll install the OS, add some basic applications and do some other tweaking. We don't join it to the domain and we give it a name like "PleaseChangeThis". Then we image it with Acronis or Paragon. When another new computer comes in that needs that image we just slap it on, change the name and join it to the domain.

              Originally posted by joeqwerty View Post
              If the problem really were with the SIDS and computer accounts I would think that GPO application would work all of the time or none of the time.
              Yeah. I was surmising that maybe the computers which had problems with GPOs being applied consistently may have been the ones that had a duplicated GUID or SID which was throwing off Active Directory. I realize that my thought process was virtually devoid of the scientific method.


              Originally posted by joeqwerty View Post
              Since your problem is intermittent I would suspect something else. I would look at gpresults, RSOP, and GPO logging to track down the problem.
              Sounds good!



              However, we can all agree that not sysprepping a machine does introduce a security risk via local SIDs being duplicated, right?
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: Imaged machines not sysprepped, Active Directory behaving sketchy

                Personally I don't find anything wrong with your method. It's not the recommended way and the sysprep purists will complain but if it works for you then it works. The only concern I would have is with the GUID for the NIC, which will be the same for all the machines you image.

                After thinking about it more you might try uninstalling then reinstalling the NIC on one of the affected machines to see if it makes any difference.

                One of the things sysprep does on an imaged machine is to run mini-setup which will detect the specific hardware in the machine and install the appropriate drivers (assuming Windows has a driver for it).

                Comment


                • #9
                  Re: Imaged machines not sysprepped, Active Directory behaving sketchy

                  I guess this was your WSUS article?
                  http://www.pcreview.co.uk/forums/thread-2140239.php

                  Have you played with frsdiag and the gpotools (plus gpo best practices analyser?) to check your Group policy stuff? (LINK)
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: Imaged machines not sysprepped, Active Directory behaving sketchy

                    Originally posted by AndyJG247 View Post
                    I guess this was your WSUS article?
                    http://www.pcreview.co.uk/forums/thread-2140239.php

                    Have you played with frsdiag and the gpotools (plus gpo best practices analyser?) to check your Group policy stuff? (LINK)
                    That wasn't the exact WSUS article, no, but It probably talks about the same thing. As to frsdiag, gpotools, and the rest... we'll get on it.

                    Thanks to all!
                    Wesley David
                    LinkedIn | Careers 2.0
                    -------------------------------
                    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                    Vendor Neutral Certifications: CWNA
                    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                    Comment

                    Working...
                    X