Is it required to delete PC from AD when re Imaging?
-
Been using fog for a long time. Just now starting with Active Directory. Prior to that we had Novell eDirectory. When re-imaging a machine there was no need to delete it from eDirectory. Novell took care of hooking the re-imaged machine to its directory object. It seems to me that one must delete the PC’s AD object before a reimage to avoid security relationship errors from AD? Is this correct?
’ Is -
No sir, not required at all.
It’s name based. If you have a computer object with name abcd1234, and you image that particular computer and it re-uses the same name, when it joins to the domain it’ll reuse the old object too.
If you image a computer with a different name, a new object with the new name is created.
If you change the name of a computer already joined to AD, the fog client will actually create a new object for you in AD, and the old one becomes disabled.
-
ok, then i must have other AD issues as a reimage gives me an security relationship error until i delete the object and then fog ads it back. Let me try another test PC. Thanks for the quick reply.
-
@Roger-Saffle Are you using an image that was already attached to the domain when you uploaded it?
-
@Wolfbane8653 said in Is it required to delete PC from AD when re Imaging?:
@Roger-Saffle Are you using an image that was already attached to the domain when you uploaded it?
My thoughts exactly.
-
Do you sysprep your machines Roger?
-
I agree its best practice to not connect the reference computer to the domain and use sysprep to prepare the reference image for image capture. I know some people say that sysprep isn’t necessary if you are capturing and deploying to the same hardware model, but if you have a mix of hardware sysprep is the best way to ensure you image works across the computer fleet.
I can see AO relationship issue with previous deployed machines as you roll out new ones if you had the reference image connected to the domain and you didn’t sysprep it before you captured it.
-
Don’t forget that the machine account in AD has a password, this gets changed on a regular basis, this happens invisibly, it is a function of the way AD words.
From memory it gets changed every 30 days, and as I say is completely invisible to users and admins, the last changed date can be read from AD via LDAP, although it needs a bit of work to translate it into human readable format.
If you image a PC without sysprep, when you deploy that image it will not join the domain if the machine account password has changed.
This will need the PC to be deleted and re-added to AD to resolve.
