Workstations falling off the domain

hurricane1091 · March 2015

Can someone assist with this? Seems like once a week someone is getting the "The security database on the server does not have a computer account for this workstation trust relationship" error. The fix is simple. The underlying cause is not. Has anyone encountered a frequent problem like this? This issue happens everywhere on occasion, but for it to be happening this frequently is concerning to me. Thanks bunches.

iBrokeIT · March 2015

Are you able to find the computer object in Active Directory for the workstation that is having that issue?

I would check the health of the all your Domain Controllers...

no!all! · March 2015

I see this every once in a while, it normally happens to our guest PC's that no one logs onto for months on end though. Rejoining the domain or resetting the computer in AD normally works though..

hurricane1091 · March 2015

Looking through the logs on one of our DCs I can see that this user's workstation has been reporting the issue for quite some time. Over a month at least. Problem is this is a person who logs on every day. Rejoining the domain works every time. The thing is that I feel like we should not be seeing this happen as frequently as we have been!

GreaterNinja · March 2015

Is this person's computer a laptop on wifi or field office computer? That may be the issue if so.

xnx · March 2015

Computer accounts can become out of sync if not used for 30 days.

Typical Symptoms when secure channel is broken - Microsoft Reduce Customer Effort Center - Site Home - TechNet Blogs

I had the same issue today with one machine.

hurricane1091 · March 2015

Thanks for the replies so far. User logs on every day. He has a laptop that is docked here but takes it home with him (this is the same for all users here) and he may or may not use it at home.

Looking at the logs, this has been showing up for a month for him

The session setup from computer 'PCNAMELEFTOUT' failed because the security database does not contain a trust account 'PCNAMELEFTOUT' referenced by the specified computer.

Followed by the error The session setup from the computer PCNAMELEFTOUT failed to authenticate. The following error occurred:
Access is denied.

PJ_Sneakers · March 2015

Is the laptop's clock synchronized within 5 minutes of your PDC's clock?

GreaterNinja · March 2015

I would delete the computer's AD account with an AD tool. then rejoin the computer to the domain.
We had a lawyer here at work that would fall off the domain after about a month. Turned out he never had a network cable connected to his dock after the move and he was authenticating with wifi / AD. Your case can certainly be something entirely different. Sounds like an Auth issue. Maybe cached credentials, etc.

sthomas · March 2015

I have had similar issues before. What I would do is delete the computer account out of AD and then rename the computer something different.

hurricane1091 · March 2015

I checked both DCs clocks earlier to make sure they were synchronized. I had not checked earlier (did not handle this case) so I can't confirm the time was off, but it's not off now (and he has a desktop as well next to him and I can confirm they are on the same time).

The only thing I can thing of is the SID. We previously were not sysprepping machines. I've begun to change that practice. There's a lot of opinions out there about whether or not that matters, and it's actually possible that his laptop has the sysprepped image. I kind of think this has happened to non-imaged machines here too. It's hard to say what's occurred in the past, I can only look out for the future. Also, please don't ignore this part because I'm curious. I'm not really sure how the SID works. If I imaged a PC with a non-sysprepped image to Windows 7 Enterprise, but then did an upgrade to Ultimate, would the SID still be the same?

Also, I was leaning towards cached credentials allowing him in. It gets a little confusing there, but he had changed his password on his desktop (today maybe?) and then was no longer allowed in, Which might make some sense because the logs go back a month to where this problem occurred, and he has not had to change his password again.

I've never seen the problem occur again on the same computer after re-joining the domain, but I was just looking for a reason behind it so we can prevent it from happening. This is typical Microsoft right here. I figured everyone here has seen it happen at least.

PJ_Sneakers · March 2015

Join the workstation to a workgroup. Delete the workstation's computer account. Then join the domain again (or create a new computer account in AD and prestage it). It will assign the laptop a new SID. If the computer account is part of any groups, etc., you will have to re-add it.

PJ_Sneakers · March 2015

You might also want to check to see if another computer was joined to the domain with an identical computer name.

hurricane1091 · March 2015

PJ_Sneakers wrote: »

You might also want to check to see if another computer was joined to the domain with an identical computer name.

Based on the naming convention here that shouldn't be the case. I'll keep an eye on it still.

Hondabuff · March 2015

Its your SID on the machines being duplicated because you are not Sys-prepping the machines. Machines that fall off the domain is the fall out that you will get. I was the Desk top guy at my company that was in charge of doing the imaging. Took some time and a few calls to our Microsoft Engineer to figure the same problem out. We first discovered that our new Panasonic Toughbooks were falling off the domain and we were using Symantec Ghost and our contractors were skipping the Ghost Walk to change the SID because it took them too long. Out of the first batch of 200 Toughbooks, we had about 30 fall off the domain. Once we started getting them back and I could verify the process they were doing we found the problem. There is a local SID and a Domain SID. But if the Local SIDS are all the same, AD will freak out and kick the old SID off the domain. No set time limit but was always before 90 days. My boss gave me the green light to roll out our new WDS servers and go production with it. We imaged 5000 machines the first year and not one has fallen off the domain since. Hope this helps.

Follow these steps and you can get around the cant Sysprep more that 3 times myth.

Sysprep Reactivation Process

Run notepad as administrator and paste the code below:

Code:
reg load HKLM\MY_SYSTEM "%~dp0Windows\System32\config\system"
reg delete HKLM\MY_SYSTEM\WPA /f
reg unload HKLM\MY_SYSTEM
Then save it with name delwpa.bat as type "all files" on drive C:\ at the root level (directly under C). Then Run the batch file.
2) Under HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\, set GeneralizationState to 7

3) From an administrative command prompt, type the following
msdtc -uninstall
msdtc -install

4) Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\, change SkipRearm to 1
5) Run Sysprep OOBE / Shutdown
6) Capture image with WDS or MDT

hurricane1091 · March 2015

Hondabuff wrote: »

Its your SID on the machines being duplicated because you are not Sys-prepping the machines. Machines that fall off the domain is the fall out that you will get. I was the Desk top guy at my company that was in charge of doing the imaging. Took some time and a few calls to our Microsoft Engineer to figure the same problem out. We first discovered that our new Panasonic Toughbooks were falling off the domain and we were using Symantec Ghost and our contractors were skipping the Ghost Walk to change the SID because it took them too long. Out of the first batch of 200 Toughbooks, we had about 30 fall off the domain. Once we started getting them back and I could verify the process they were doing we found the problem. There is a local SID and a Domain SID. But if the Local SIDS are all the same, AD will freak out and kick the old SID off the domain. No set time limit but was always before 90 days. My boss gave me the green light to roll out our new WDS servers and go production with it. We imaged 5000 machines the first year and not one has fallen off the domain since. Hope this helps.

Follow these steps and you can get around the cant Sysprep more that 3 times myth.

Sysprep Reactivation Process
Run notepad as administrator and paste the code below:

Code:
reg load HKLM\MY_SYSTEM "%~dp0Windows\System32\config\system"
reg delete HKLM\MY_SYSTEM\WPA /f
reg unload HKLM\MY_SYSTEM
Then save it with name delwpa.bat as type "all files" on drive C:\ at the root level (directly under C). Then Run the batch file.
2) Under HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\, set GeneralizationState to 7

3) From an administrative command prompt, type the following
msdtc -uninstall
msdtc -install

4) Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\, change SkipRearm to 1
5) Run Sysprep OOBE / Shutdown
6) Capture image with WDS or MDT

I had a feeling it could be something along those lines. Other guy I work with does not buy into it though. All I can do is look toward the future and machines that have been imaged with a sysprepped image, and see what happens with those and report back!

Hondabuff · March 2015

How are you currently building images if you are not doing sysprep? There is a ton documentation from Microsoft on why machines have to be sysprepped for a reason. If you have a WSUS server its going to blow up and melt your company, Not really but once all your machines stop getting updates its going to be bad news for your Desktop team. WSUS uses the SID and if you have 2000 computers that were cloned with one image that wasn't syspreped that only one pc will get its update and the rest will be in limbo. Been there and done that.

iBrokeIT · March 2015

Do you have DNS scavenging enabled? Is his computer object getting updated in DNS when he logs in?

hurricane1091 · March 2015

Hondabuff wrote: »

How are you currently building images if you are not doing sysprep? There is a ton documentation from Microsoft on why machines have to be sysprepped for a reason. If you have a WSUS server its going to blow up and melt your company, Not really but once all your machines stop getting updates its going to be bad news for your Desktop team. WSUS uses the SID and if you have 2000 computers that were cloned with one image that wasn't syspreped that only one pc will get its update and the rest will be in limbo. Been there and done that.

I use some imaging software and store them to an external HDD, then deploy the same way. Small company. Not using WSUS for updates, using a different solution.

I'm not an MCSE guy so I do not know enough in regards to the SID. All I know is that I mentioned it and the guy above me assured that in this day and age it does not matter. I'm really young and new here and I don't feel comfortable going against him on this since I do not know enough. I'd love if someone elaborated further though here.

Hondabuff · March 2015

KMS/WSUS are the 2 biggest reasons you need a different SID on each machine. The 1 reason is Microsoft doesn't support a case of helping you with Windows issue if the image is not Sysprepped. I'm guessing the reason that he doesn't sysprep your image is because he doesn't understand it for one and why you have to do it. With tools like WAIK/WDS/MDT building an Master Gold Image and deploying it via the network with PXE booting is a breeze. Storing it on an external HDD and walking around to each computer is absurd. At least watch some videos and arm yourself with some knowledge. Section 2 of this video is pretty good. Professor Messer's Free Microsoft 70-680 Certification Training | Professor Messer - CompTIA A+, Network+, Security+, Linux, Microsoft Technology Training
Deploy Windows 7 The Easy Way: Using WDS, MDT and AIK - Step-By-Step Video - ITProGuru Blog by Systems Management Expert Dan Stolts - Site Home - TechNet Blogs
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL313

When I first got to the current company that I'm in, I started on the Desktop team and was fortunate enough to be best friend with the Sr Windows Architect at CMU. He pointed me in the direction on setting up WDS on Virtual Box with Server 2008R2 on a 100GB VDI on my laptop. My company was using Image X with portable Hard Drives and were doing 4-5 machines a day between 4 Desktop guys. I was using Symantec Ghost at my Job before but my boss didn't want me to use it since we did not have a license. I spent a week working with my buddy getting WDS up and running and built my first couple of images on my home lab. It was a lot like Ghost just easier to do. I was already sysprepping images with Ghost and using Ghost Walk on non-sysprepped images. I asked my boss to give me a week to set it up and build an image and it would change the way we image. 2 of the guys who were here for over 10 years gave me all kind of crap and really didn't buy into it. I took all the driver stores from C:\Windows\System32 and imported them from our 5 different PC models into WDS. The first test run I imaged 12 computers in 30minutes and had them all up and running on the domain in 1hr. Needless to say it caught the attention of my boss and Director. The first full production run we fully built 50 computers and were on fully functional the first day. The record before was 8. The company stopped using ImageX cold turkey and now we have 4 WDS servers and MDT fully running for 40 offices and have imaged over 5000 computers in less than 2 years. I would poke around the TechEd blogs for more info if you are interested. I have moved on from Desktop and got promoted to our new Network division and still consult with our Desktop team on imaging. I was lucky enough to attend some TechEd classes and have a good friend who was a great mentor. My old boss even had 2 Microsoft Engineers come in to train our Desktop team. You are going to battle some of the old guard people but you can teach old dogs new tricks. Just have to get your information lined up and presented in a way that shows value to your company.

SaSkiller · March 2015

Supposedly not using SYSPREP causes this issue with the SID. I've never had it in significant amounts to say that this was the cause in the environment I was involved with, but it was supposedly the issue.

hurricane1091 · March 2015

Hondabuff wrote: »

KMS/WSUS are the 2 biggest reasons you need a different SID on each machine. The 1 reason is Microsoft doesn't support a case of helping you with Windows issue if the image is not Sysprepped. I'm guessing the reason that he doesn't sysprep your image is because he doesn't understand it for one and why you have to do it. With tools like WAIK/WDS/MDT building an Master Gold Image and deploying it via the network with PXE booting is a breeze. Storing it on an external HDD and walking around to each computer is absurd. At least watch some videos and arm yourself with some knowledge. Section 2 of this video is pretty good. Professor Messer's Free Microsoft 70-680 Certification Training | Professor Messer - CompTIA A+, Network+, Security+, Linux, Microsoft Technology Training
Deploy Windows 7 The Easy Way: Using WDS, MDT and AIK - Step-By-Step Video - ITProGuru Blog by Systems Management Expert Dan Stolts - Site Home - TechNet Blogs
Top 10 Windows Deployment Service (WDS) Common Issues and How to Resolve Them | Tech·Ed North America 2011 | Channel 9

When I first got to the current company that I'm in, I started on the Desktop team and was fortunate enough to be best friend with the Sr Windows Architect at CMU. He pointed me in the direction on setting up WDS on Virtual Box with Server 2008R2 on a 100GB VDI on my laptop. My company was using Image X with portable Hard Drives and were doing 4-5 machines a day between 4 Desktop guys. I was using Symantec Ghost at my Job before but my boss didn't want me to use it since we did not have a license. I spent a week working with my buddy getting WDS up and running and built my first couple of images on my home lab. It was a lot like Ghost just easier to do. I was already sysprepping images with Ghost and using Ghost Walk on non-sysprepped images. I asked my boss to give me a week to set it up and build an image and it would change the way we image. 2 of the guys who were here for over 10 years gave me all kind of crap and really didn't buy into it. I took all the driver stores from C:\Windows\System32 and imported them from our 5 different PC models into WDS. The first test run I imaged 12 computers in 30minutes and had them all up and running on the domain in 1hr. Needless to say it caught the attention of my boss and Director. The first full production run we fully built 50 computers and were on fully functional the first day. The record before was 8. The company stopped using ImageX cold turkey and now we have 4 WDS servers and MDT fully running for 40 offices and have imaged over 5000 computers in less than 2 years. I would poke around the TechEd blogs for more info if you are interested. I have moved on from Desktop and got promoted to our new Network division and still consult with our Desktop team on imaging. I was lucky enough to attend some TechEd classes and have a good friend who was a great mentor. My old boss even had 2 Microsoft Engineers come in to train our Desktop team. You are going to battle some of the old guard people but you can teach old dogs new tricks. Just have to get your information lined up and presented in a way that shows value to your company.

That's really cool. I wish we were doing that. I think the reason we aren't is because there's only about 60 people in this office + some users have desktops too. 3 model years floating around so not everyone gets upgraded to a new laptop at the same time. Plus everyone is on their laptop during the day, so it would have to take place after hours. Either way though I'd love to get experience doing that stuff. I guess it's just not viable though. They seem to order laptops on an individual basis. So I'll get one in, bring it to my desk. Image it with the base image, add on anything special, then give it to the user after a little documentation.

Edificer · March 2015

As a network technician, I've witnessed the same error more than I would like to, too. The server guys always walk over to my room and ask me to investigate and presume the problem is related to poor switch configuration. I do perform my routinely checks, a few show, debug commands and even monitored the traffic with wireshark. I was never able to find the problem. As mentioned above, they have found a bandage solution to this but it is re-occurring. It seems to be more stable now than before. We image our workstation with PXE / WDS. Great thread, though. I will definitely have a few flashbacks to it.

xnx · March 2015

In my 1st job out of university the first thing I did was to set up a WDS Server and making the imaging as automated as possible, I've also setup a KMS Server and as mentioned this won't work properly with identical SIDs as a cloned image would.

hurricane1091 · March 2015

Out of curiosity, if one were to use a WDS server, what how would you go about creating an image? I'd assume I could create an image with the software I use, but is there a built-in windows option?

Hondabuff · March 2015

1) Load a fresh copy of Windows 7 on a PC.
2) Install all updates.
3) Install applications such as Office, Adobe, Visio
4) Install Support Applications, Silverlight, RealPlayer, Acrobat,etc
5) Clean up PC with a reg cleaner and delete downloads and browser history. CCleaner works well for this.
6) Activate Windows 7 with MAC or KMS License.
7) Run C:\Windows\System32\sysprep\sysprep.exe, Select Out of Box Expierence.
8 ) PC will Shut Down.

Capture Image.
1) Boot PC and keep pressing f12 until it annoys everyone in the room.
2) PXE boot to Capture file on WDS. *valid once you setup WDS*
3) Capture image and save .wim file.
4) Boot test PC, I used VMware Desktop
5) Keep pressing f12 even louder before so everyone in the room turns and looks at you.
6) Select Install x86/x64 Image *valid once you setup WDS*
7) Install Image. If you have the driver store and XML unattend file setup you can automate a lot of the pre-setup like locale and time.
8 ) Enjoy your new imaged PC that used PXE boot across the network.
9) Use your old portable HDD for more important stuff like Super Troopers.

xnx · March 2015

Hondabuff wrote: »

1) Load a fresh copy of Windows 7 on a PC.
2) Install all updates.
3) Install applications such as Office, Adobe, Visio
4) Install Support Applications, Silverlight, RealPlayer, Acrobat,etc
5) Clean up PC with a reg cleaner and delete downloads and browser history. CCleaner works well for this.
6) Activate Windows 7 with MAC or KMS License.
7) Run C:\Windows\System32\sysprep\sysprep.exe, Select Out of Box Expierence.
8 ) PC will Shut Down.

Capture Image.
1) Boot PC and keep pressing f12 until it annoys everyone in the room.
2) PXE boot to Capture file on WDS. *valid once you setup WDS*
3) Capture image and save .wim file.
4) Boot test PC, I used VMware Desktop
5) Keep pressing f12 even louder before so everyone in the room turns and looks at you.
6) Select Install x86/x64 Image *valid once you setup WDS*
7) Install Image. If you have the driver store and XML unattend file setup you can automate a lot of the pre-setup like locale and time.
8 ) Enjoy your new imaged PC that used PXE boot across the network.
9) Use your old portable HDD for more important stuff like Super Troopers.

The process is correct, but for capturing directly to a WDS you will have to load NIC drivers using the command "drvload <NIC Driver Path>" and initialise networking "wpeutil initializenetwork" to be able to contact your WDS Server

Hondabuff · March 2015

xnx wrote: »

The process is correct, but for capturing directly to a WDS you will have to load NIC drivers using the command "drvload <NIC Driver Path>" and initialise networking "wpeutil initializenetwork" to be able to contact your WDS Server

You will need the nic .inf files but with Server 2008 R2 and WDS you can mount the drivers right into you boot.wim file. Doing the manual mount is only if you dont have 08R2 server.

GreaterNinja · March 2015

Assuming this is windows 7 or xp. backup your user profile directory. then C:\Windows\System32\sysprep run sysprep /oobe i think?
then change the computer name, then join it back to the Domain. This should eliminate SID conflicts, AD computer account issues, etc. Normally I'd delete the Computer AD account but I won't go through that. The only other issue it could be is network connectivity. Make sure your client or the network infra to that computer is setup correctly. Now as far as you guys making images, I would recommend something like VirtualBox, Vsphere or VMware Workstation to create a multi hw image. Why? You can also update and save the image or even rollback with snapshots.

Chest Rockwell · March 2015

Hi all, first post...newbie here.

Have seen a similar issue before at a previous contract. Turned out to be the Hyper-V hosts the troublesome DCs were sitting on hadn't been patched in something like over 2 years. The problem grew and grew, starting with newly joined workstations falling off the domain all the way to one DC having an unwritable ntds.dit

Server teams initial reaction was to simply overprovision the DCs because local support complained about the slowness of AD tools. The issue didn't impact globally, just certain areas where it became apparent that the regional server guys were not patching their Hyper-V hosts.

Might not be related to your issue, but thought I'd throw it in there.

cheers

Deathmage · March 2015

I used to have this problem recurring but as many have stated above you need to do a sysprep on the local machine or change the SID (normally by joining a workgroup, rebooting, changing the PC's NetBIOS name, reboot, then rejoin the domain) now for me what works best for me in a VMware world is to just install a VM for 2008 R2 and Windows 7, get all the updates in the world on it and then turn it off and then make it into a template (I typically deploy all servers/desktops from this template and then activate windows) since deploying from template I've never had that happen to me again (knock on wood)

However normally the leave domain and join domain works for me and I delete all remnants of the domain SID from the registry before re-joining the domain, but I'm just super through and ****.

Workstations falling off the domain

Comments