Wrong computer-SID for A-record in DNS

[Marcus Torstensson]

Hi!

We have recently discovered the cause for our clients (Win XP) not being
able to update their own A records in DNS (Win2K AD integrated).
Many of the client A records have the wrong SID identifier for their own
A-record. Probably because the way we deploy clients (ghost images).

Does anyone know a way to loop through these records to make sure all
A-records have the corresponding computer account proper security
permissions?
If not, is there a way to delete a scope of records in the DNS to let them
register again?

Regards
Marcus Torstensson

 

[Herb Martin]

We have recently discovered the cause for our clients (Win XP) not being
able to update their own A records in DNS (Win2K AD integrated).
Many of the client A records have the wrong SID identifier for their own
A-record. Probably because the way we deploy clients (ghost images).

Client SIDs (in general) don't show up in DNS. Only the DCs register such
records.

This makes little sense, even for DCs as they each register their own
record.

Does anyone know a way to loop through these records to make sure all
A-records have the corresponding computer account proper security
permissions?

First thing to try (for DCs) is to (straightent out DNS settings and)
restart the
NetLogon service on every DC.

Straighten out:
Dynamic DNS
ALL clients AND servers use the Dynamic DNS server (set) ONLY as their
DNS in client NIC properties

You might consider making the DNS non dynamic for a minute and DELETING
all of these records, replicating, then dynamic again before cycling
NetLogon

 

[Ace Fekay [MVP]]

In addition, the use of Sysprep before ghosting will solve the unique SID
issue. This tool strips the computer name and the SID number. Upon booting
up after ghosting back to a machine, it willask you for a new name and will
generate a new SID for it.

How to use Sysprep:
http://www.microsoft.com/windowsxp/pro/using/itpro/deploying/introduction.asp

But agree, not sure what is meant by SIDs in DNS.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Steven Liu]

Hi Marcus,

Since you use the GHOST to deploy the clients, all the clients should have
the same computer SID. This is the culprit which caused the problem.

MVP Ace Fekay's suggestion is right. You should use the Sysprep to remove
the computer SID first. Then, GHOST the image. Then, deploy the clients
with the image. Then, each client will generate a new computer SID. You
will not get the problem.

For now, you need to run the sysprep on each client to remove the computer
SID. Then, logon the computer with related user again. This will generate
new computer SID. The problem should be solved.

You also can change the image of GHOST and re-deploy all clients again.

How to use Sysprep:
http://www.microsoft.com/windowsxp/pro/using/itpro/deploying/introduction.as
p

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.