Re: [ActiveDir] Upgrading computers and computer objects
On Mon, Dec 29, 2003 at 10:01:53AM -0600, Rich Milburn wrote: Just tried it, XP SP1 on a 2003 domain, Network Identification, switched from domain member to workgroup member: Enter the name and password of an account with permission to remove this computer from the domain. User name: Password: This is while logged in as a domain admin. It seems to be fairly new behavior, I can't recall if AD 2000 did this or not. It might be an XP thing. AD 2000 does this, but probably after some Service Packs, because I've done this on Windows 2000 box too. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Irwan forgive me if I read you wrong... I think what he's asking is about leaving the computer accounts in AD or deleting them. When you remove the computer from the domain (like join it to a workgroup) it removes the computer account from the domain. Or you can turn the computer off and delete the account forcefully with ADUC or dsrm or whatever. Or you can reset the account - something I've rarely used, because I didn't know what the difference was from deleting the account and adding the new computer with the same name. Rich -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 28, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Actually, removing a computer from the domain on the client side (i.e. changing its domain membership to a workgroup) does NOT remove the machine account from AD (nor did it remove the account in NT4 domains). No domain rights are required to remove a machine from the domain - you can prove this by using the local admin account of a machine to remove it from the domain. Local admin has no domain rights, yet you can remove the machine from the domain. The only action I know of which will remove the computer account automatically is running DCPromo to remove a DC. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan forgive me if I read you wrong... I think what he's asking is about leaving the computer accounts in AD or deleting them. When you remove the computer from the domain (like join it to a workgroup) it removes the computer account from the domain. Or you can turn the computer off and delete the account forcefully with ADUC or dsrm or whatever. Or you can reset the account - something I've rarely used, because I didn't know what the difference was from deleting the account and adding the new computer with the same name. Rich -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 28, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] Upgrading computers and computer objects
I've only been prompted for credentials when joining a domain, not when leaving one. And those are always for the new domain, not the old. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects You know... it's one of those things I rarely bother to do because I do #2 below, and the couple of times I have done it, I've never checked to see if the account was gone. Seems like you _should_ need domain privs to remove a computer from the domain, and it _should_ delete the computer account... now that you mention it I have removed computers from the domain without being able to contact the DC. What's the point of asking for an account that can remove it from the domain, if you have to be an admin to get that far in the first place? (though I've never tried switching to workgroup as a non-admin account so maybe it will let you try to remove the computer from the domain as a regular user and just ask for an admin account?) -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 8:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Actually, removing a computer from the domain on the client side (i.e. changing its domain membership to a workgroup) does NOT remove the machine account from AD (nor did it remove the account in NT4 domains). No domain rights are required to remove a machine from the domain - you can prove this by using the local admin account of a machine to remove it from the domain. Local admin has no domain rights, yet you can remove the machine from the domain. The only action I know of which will remove the computer account automatically is running DCPromo to remove a DC. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan forgive me if I read you wrong... I think what he's asking is about leaving the computer accounts in AD or deleting them. When you remove the computer from the domain (like join it to a workgroup) it removes the computer account from the domain. Or you can turn the computer off and delete the account forcefully with ADUC or dsrm or whatever. Or you can reset the account - something I've rarely used, because I didn't know what the difference was from deleting the account and adding the new computer with the same name. Rich -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 28, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org
RE: [ActiveDir] Upgrading computers and computer objects
Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Just tried it, XP SP1 on a 2003 domain, Network Identification, switched from domain member to workgroup member: Enter the name and password of an account with permission to remove this computer from the domain. User name: Password: This is while logged in as a domain admin. It seems to be fairly new behavior, I can't recall if AD 2000 did this or not. It might be an XP thing. Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects I've only been prompted for credentials when joining a domain, not when leaving one. And those are always for the new domain, not the old. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects You know... it's one of those things I rarely bother to do because I do #2 below, and the couple of times I have done it, I've never checked to see if the account was gone. Seems like you _should_ need domain privs to remove a computer from the domain, and it _should_ delete the computer account... now that you mention it I have removed computers from the domain without being able to contact the DC. What's the point of asking for an account that can remove it from the domain, if you have to be an admin to get that far in the first place? (though I've never tried switching to workgroup as a non-admin account so maybe it will let you try to remove the computer from the domain as a regular user and just ask for an admin account?) -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 8:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Actually, removing a computer from the domain on the client side (i.e. changing its domain membership to a workgroup) does NOT remove the machine account from AD (nor did it remove the account in NT4 domains). No domain rights are required to remove a machine from the domain - you can prove this by using the local admin account of a machine to remove it from the domain. Local admin has no domain rights, yet you can remove the machine from the domain. The only action I know of which will remove the computer account automatically is running DCPromo to remove a DC. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan forgive me if I read you wrong... I think what he's asking is about leaving the computer accounts in AD or deleting them. When you remove the computer from the domain (like join it to a workgroup) it removes the computer account from the domain. Or you can turn the computer off and delete the account forcefully with ADUC or dsrm or whatever. Or you can reset the account - something I've rarely used, because I didn't know what the difference was from deleting the account and adding the new computer with the same name. Rich -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 28, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT
RE: [ActiveDir] Upgrading computers and computer objects
As Rick says option two would be the best way to go forward to it. The new computers wouldn't have the corresponding SID of the computer that they are replacing. Deleting the existing computer accounts will delete the old SIDs, and by joining up the new machines with correct naming convension that you are looking for will add the new SIDs to the database. In option one, removing the machine from the domain should, I could be wrong, do the same as deleting the accounts from ADUC. So option two should save you time and effort on the install as well as hassle in the future. Hope this helps Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 28 December 2003 19:32 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Irwan, I would concur that option two is the most successful method, from my experience. For all intents and purposes, the Computer object is a derivative of the User object and has a SID associated with it. Simply naming a computer the same as an existing object will not yield the desired result, and will often cause unpredicatble results. I might not be reading the options correctly, but I see option one and three as the same. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Sunday, December 28, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrading computers and computer objects I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Kind regards, David Houston Computer Consultant Mob.: (+353) 087 6810844 E-mail: [EMAIL PROTECTED] Dame Copmuters Ruwenzori Delgany, Wicklow Tel. : 01-2873159 Fax : 01-2874521 E-mail: [EMAIL PROTECTED] _ This document may include proprietary and confidential information of Dame Computers. and may only be read by those person or persons to whom it is addressed. If you have received this E-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified, or furnished to third parties, without the prior written consent. Outlook tools! : Outlook tools and add-ons ... http://www.outlookforms.nl/portal.htm _ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrading computers and computer objects
Yeah that's what I usually do. I went through the process with Win2K and WinXP just now. Here is what I found: Win2K - 1) logged on as domain admin, 2) moved to workgroup - silently succeeded 3) did not notice if account was disabled. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) it asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, it told me: This computer was disjoined from the domain DOMAIN.COM, but the computer account could not be disabled. You should contact your network administrator with this information. 9) Rebooted, joined back to domain with same computer name, no problems. WinXP - 1) logged on as domain admin, 2) moved to workgroup, asked me for authentication, which I gave without specifying domain, 3) checked ADUC and computer account was disabled but not deleted. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, asked me for credentials, succeeded. 9) Rebooted, joined back to domain with same computer name, no problems. It seems that the only difference is that Win2K does not ask for credentials and either silently succeeds or it fails to disable the account. XP asks for credentials. What's the point in disabling the account? Not sure. What does a reset gain you? Not sure there either, because I never once deleted the computer name or reset it before adding the computer back to the domain with the same name. Granted, the computer NIC and IP and etc was the same so maybe it checks that before allowing you to add back with an existing name. But NT4 didn't allow that, you had to delete the account first (and sync with the PDC!) Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Just tried it, XP SP1 on a 2003 domain, Network Identification, switched from domain member to workgroup member: Enter the name and password of an account with permission to remove this computer from the domain. User name: Password: This is while logged in as a domain admin. It seems to be fairly new behavior, I can't recall if AD 2000 did this or not. It might be an XP thing. Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects I've only been prompted for credentials when joining a domain, not when leaving one. And those are always for the new domain, not the old. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects You know... it's one of those things I rarely bother to do because I do #2 below, and the couple of times I have done it, I've never checked to see if the account was gone. Seems like you _should_ need domain privs to remove a computer from the domain, and it _should_ delete the computer account... now that you mention it I have removed computers from the domain without being able to contact the DC. What's the point of asking for an account that can remove it from the domain, if you have to be an admin to get that far in the first place? (though I've never tried switching to workgroup as a non-admin account so maybe it will let you try to remove the computer from the domain as a regular user and just ask for an admin account?) -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 8:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Actually, removing a computer from the domain on the client side (i.e. changing its domain membership to a workgroup) does NOT remove the machine account from AD (nor did it remove the account in NT4
RE: [ActiveDir] Upgrading computers and computer objects
Rich, I suspect it's not the SID it's looking at. It's more likely the GUID. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, December 29, 2003 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Further info... after #9 on XP, I removed, rebooted, and then added it back under a different name that happened to already exist. It told me that it already existed, and it added it back with the same name it had before. I'm pretty sure the name that exists is simply for a VM that I rebuilt with RIS without removing the computer account. So perhaps it's checking the computer's SID and if it's the same one, it allows the computer to be added back under the same name. Perhaps resetting the account allows you to add a new SID under that name without deleting and re-adding the computer account in AD? Rich -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Yeah that's what I usually do. I went through the process with Win2K and WinXP just now. Here is what I found: Win2K - 1) logged on as domain admin, 2) moved to workgroup - silently succeeded 3) did not notice if account was disabled. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) it asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, it told me: This computer was disjoined from the domain DOMAIN.COM, but the computer account could not be disabled. You should contact your network administrator with this information. 9) Rebooted, joined back to domain with same computer name, no problems. WinXP - 1) logged on as domain admin, 2) moved to workgroup, asked me for authentication, which I gave without specifying domain, 3) checked ADUC and computer account was disabled but not deleted. 4) Rebooted, logged in as local admin, 5) added it back to the domain, same computer name, 6) asked me for authorized login info to add account, succeeded. 7) Rebooted, logged in as local admin, 8) moved back to workgroup, asked me for credentials, succeeded. 9) Rebooted, joined back to domain with same computer name, no problems. It seems that the only difference is that Win2K does not ask for credentials and either silently succeeds or it fails to disable the account. XP asks for credentials. What's the point in disabling the account? Not sure. What does a reset gain you? Not sure there either, because I never once deleted the computer name or reset it before adding the computer back to the domain with the same name. Granted, the computer NIC and IP and etc was the same so maybe it checks that before allowing you to add back with an existing name. But NT4 didn't allow that, you had to delete the account first (and sync with the PDC!) Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects Wow. Never saw that before. I'll have to play with my crashbox a bit later. Maybe its just because I usually rebuild the box then worry about the domain account later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers and computer objects Just tried it, XP SP1 on a 2003 domain, Network Identification, switched from domain member to workgroup member: Enter the name and password of an account with permission to remove this computer from the domain. User name: Password: This is while logged in as a domain admin. It seems to be fairly new behavior, I can't recall if AD 2000 did this or not. It might be an XP thing. Rich -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Upgrading computers and computer objects I've only been prompted for credentials when joining a domain, not when leaving one. And those are always for the new domain, not the old. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Upgrading computers
[ActiveDir] Upgrading computers and computer objects
I'm curious what is the best practice or recommended way for the following case: I have several computers that are joined to the domain, and I'm going to upgrade some of thse computers with a different computer (newer), though the UNC name of these computers will remain the same. Should I: 1. Remove the old computers from the domain, install the new computers, and join them to the domain? 2. Since there are several computers, can I just delete the corresponding computer objects in the ADUC, install the new computers, and join them to the domain? 3. Just put the new computers in place, and join them with the same name? So far, I'm doing the second way, because I think it is the cleanest way. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
