Script to detect and repair AD Biding
-
This isn’t a FOG specific question per-se but with having everyone out of the office for an extended period many devices have non-functioning AD binding. Despite being back in the office on the network they no longer check in to group policy etc.
They still check into FOG with the client properly so I wanted to see if anyone had a good script the check if the binding is working correctly and correct it/rebind if it isn’t.
-
@astrugatch Would be interesting to see the full fog-client log of a host having the described issue but fog-client working fine. I say this because the fog-client checks if the OS thinks it is joined to the domain or not using MS API calls. So I guess those return true even if AD it’s not good anymore. So a script checking would probably need to call totally other methods to find out. Maybe it would even need to query the AD itself… No idea.
-
Now I’m not so sure the client IS working properly. I see this when I pulled the log from one of the machines.
8/17/2021 1:53:08 PM Client-Info Client Version: 0.11.19 8/17/2021 1:53:08 PM Client-Info Client OS: Windows 8/17/2021 1:53:08 PM Client-Info Server Version: 1.5.9.98 8/17/2021 1:53:08 PM Middleware::Response Success 8/17/2021 1:53:08 PM Middleware::Communication Download: https://fog.CONTOSO.org/fog/client/SmartInstaller.exe 8/17/2021 1:53:09 PM Data::RSA FOG Project cert found 8/17/2021 1:53:09 PM ClientUpdater ERROR: Update file is not authentic -
HA!
You actually put me on the right path! The computers in question were imaged so long ago that they predated our domain rename. So the info in the Active Directory section of FOG still listed our old domain, so even if they tried to fix themselves they would fail. This matches up as the machines that fixed themselves were all imaged or re-imaged AFTER the domain rename! -
@astrugatch Good you figured this one out (domain rename)!
About the fog-client message “ERROR: Update file is not authentic”. This is a known issue as the “FOG Project” cert is not valid anymore. You need to manually install a newer client version on those machines (or re-deploy an image with a newer client).
-
Is that separate from the cert that is used for HTTPS? Do I need to generate a new cert or does that come from the install as long as it is recent?
-
@astrugatch said in Script to detect and repair AD Biding:
Is that separate from the cert that is used for HTTPS? Do I need to generate a new cert or does that come from the install as long as it is recent?
It’s separate from the cert used for HTTPS. Nothing you need to mess with. It’s a code siging certificate and it’s bundled into the fog-client. So if you use a recent one you are good to go.