Computer Accounts no longer working

[Guest]

Hi,

I have a problem with computer accounts in the domain deciding not to work
shortly after being created.

Background:
Windows 2000 native domains - 3 sub domains under forest root.
No computers other than 2 DC's and a member server in forest root, so no
problems seen there.
In each sub domain the problem appears. One has 7 DCs, and the others each
have 2 DC's.
Workstation computer accounts could be under the default "Computers", or
under a separate OU tree, as in "Computer Accounts/thirdfloor/room1".
We are using AD DNS for our all our host name resolution, and there doesn't
seem to be a problem there.

Scenario:
We have many computer labs where 25 to 30 computers in the lab are re-imaged
on a weekly or monthly basis. In this process, the computer account names are
removed from the domain first. The lab is then reimaged, which includes
Sysprep, etc to change SIDs, and names added to the correct domain with the
same computer name as before. Everything seems to occur as expected, with
domain users able to log in right away. The problem comes after leaving the
computer alone for a while - this may be overnight or even an hour later.
Domain users can no longer log in to the computer. In some cases the computer
account is still in the domain, but in others it isn't.
Following the manual process of :
- remove computer account from domain
- change computer to a Workgroup member
- reboot
- change computer to Domain member
- reboot
.... works successfully for the long term, but has to be done on every
computer in the lab.

BTW, dcdiag and netdiag runs fine on all DC's.

Does anyone know what may be happening, and how to fix it?

Tony

 

[Guest]

Just a thought. Can you try this? Before you reimage a PC, do not remove the
computer account from the domain.

BR,
Denis

 

[Glenn L]

I think I know what is going on.
You can easily prove this by reviewing the netsetup.log file after joining
the syspreped box.
I suspect there is replication latency when you delete the computer account
from the domain.
When you sysprep and join the workstation back to the domain, it finds a
'remaining' DC that has not gotten the deletion replication event yet.
It then reassociates itself with that object.
Of course the deletion replication event comes plowing through eventually
and deletes the computer object.

In the netsetup.log file, during the join operation, it will tell you if it
found the computer object in AD (it will tell you what DC it found it on) or
not.

If this is what is happening, you will need to alter your process.
You can wait until replication completes.
You can help replication along with replmon.
You can simply reset the computer account rather than delete it.

 

[Guest]

Thanks!
I suspected replication as well. I'll get one of my techs to repeat a
reimage and then find a copy of the file. I'll let the thread know what
happens.
About performing a reset on the computer account instead of
deleting/readding it - I've tried this, but a tech gets errors when
attempting to rejoin the domain from the pc. The join fails, so we have to
then do the delete/readd. Possibly this is a replication issue as well. I'll
attempt this again today with a longer wait between the time I reset the
computer account and the time I attempt to rejoin the domain.

Tony