Announcement

Collapse
No announcement yet.

Pre staging computer accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pre staging computer accounts

    Hi,

    We have built a new single domain, which spans 50 odd sites. All the computers that we are adding all exist on workgroups at the mo with static IPs, but I've written a script that adds a DNS server, does a reverse DNS lookup, and renames the computer name according to the IP address listed in the rDNS zone (and reboots). It then joins the domain using that new name using netdom.

    The problem we have, is that as it's a largeish network we need to pre-stage the computer accounts, as there's a ton of GPOs that need to be applied, according to what type of computer it is (workstation/till etc)

    What is really bizarre, is that we have done exactly that (using dsadd computer), and they are all in the correct OUs, but when the computer gets added to the domain, it creates and identical named computer account in the default computers OU in AD. Not even an error saying there's a duplicate etc. It's the 3rd site it's happened at.

    AD replication is consistent across all DCs (one DC/GC in each site).

    We then have to delete the prestaged computer account, and move the newly created ones to the correct OU.

    If it was permissions on the prestaged computer account, surely it would still prevent a duplicate from appearing?

    Any ideas?

  • #2
    Re: Pre staging computer accounts

    Sounds like something went wrong when creating the computer accounts.
    Have you tried to manually create a computer account and then trying to join the system to the domain either by netdom or the GUI method?
    Might be interesting, just for testing purposes...
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Pre staging computer accounts

      I think when you pre-stage a computer account you have to specify the GUID \ MAC Address of the computer the account will belong to. I also think you need to use WDS for it to work.

      Could you elaborate on why the accounts need to be pre-staged? You can specify which OU an account will add using netdom.

      Comment


      • #4
        Re: Pre staging computer accounts

        Originally posted by ScottMcD View Post
        I think when you pre-stage a computer account you have to specify the GUID \ MAC Address of the computer the account will belong to. I also think you need to use WDS for it to work.
        Not necessarily. Pre-staging is basically the process of creating a computer account in AD and possibly placing them into different OUs.
        The whole idea is so when the computer is joined to the domain it picks up the policies linked to that OU rather than the default location of the Computers container.

        You can use pre-staged computers in conjunction with WDS by configuring it to only answer those account, therefore adding another layer of security.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Pre staging computer accounts

          Thanks for your replies.

          Yeah the reason really is as it's a large rollout, we have a single script that runs across the estate. It sets the DNS server of the client to the DNS server in the same subnet using a VB Script, renames the workstation then adds the computer to the domain. It reboots about 3 or 4 times, and after the last reboot it should be ready to use.

          If the policies haven't been applied then there's a lot of stuff that won't work (as printers, mapped drives, registry keys, odbc connectors need to be applied), so they need to be in the correct OU.

          It seems to be the same case with manually creating the computer accounts.

          For now we are customising each script to put them in the OU with NETDOM which works, but I'm still concerned that pre staging computer accounts doesn't work...I don't know if there's an underlying problem. Also going forward it would be nice not to have to have a separate script for each site.

          Cheers!

          Comment

          Working...
          X