Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Active Directory
 What does resetting a computer account really do?
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

NT_Moron
Seasoned But Casual Onlooker

88 Posts
Status: offline

Posted - 06/05/2008 :  5:24:39 PM  Show Profile  Reply with Quote
in AD users and computers

mitachu
Honorable But Hopeless Addict

United Kingdom
1953 Posts
Status: offline

Posted - 06/05/2008 :  5:40:54 PM  Show Profile  Click to see mitachu's MSN Messenger address  Reply with Quote
Resets the secure channel

Tim
Go to Top of Page

netmarcos
Honorable But Hopeless Addict

USA
2268 Posts
Status: offline

Posted - 06/05/2008 :  5:41:17 PM  Show Profile  Visit netmarcos's Homepage  Click to see netmarcos's MSN Messenger address  Look at the Skype address for netmarcos  Send netmarcos a Yahoo! Message  Reply with Quote
Changes the secure channel password required to verify the trust between the computer and the domain. Normally, the password is reset every 30 days. If a breakdown occurs in the communication channel between the machine and the domain, the machine will be out of synchronization with the domain. At that point, either the secure channel has to be reset using Netdom, or the machine will need to be rejoined to the domain.

Mark M. Webster

Genius may have its limitations, but stupidity is not thus handicapped. - Elbert Hubbard

Go to Top of Page

NT_Moron
Seasoned But Casual Onlooker

88 Posts
Status: offline

Posted - 06/05/2008 :  7:29:14 PM  Show Profile  Reply with Quote
Thank you for the explaination.

In a scenario where I want to replace a machine with another machine of identical hostname, resetting a computer account would not matter.

Therefore, my option is basically delete the original computer and then join the new host to the domain - yes?
Go to Top of Page

netmarcos
Honorable But Hopeless Addict

USA
2268 Posts
Status: offline

Posted - 06/05/2008 :  9:02:00 PM  Show Profile  Visit netmarcos's Homepage  Click to see netmarcos's MSN Messenger address  Look at the Skype address for netmarcos  Send netmarcos a Yahoo! Message  Reply with Quote
My personal opinion here: If the original machine was gracefully removed from the domain (the old system is online and you join it to a workgroup or something and then shut it off), the computer account will be disabled and a new machine with the same name can easily be joined to the domain and use the same account. If the old system just disappears, its really your choice to either reset the account or delete and recreate it.

In most cases, there is little that matters about a specific computer account, so deleting the old and creating a new account is common practice.

Mark M. Webster

Genius may have its limitations, but stupidity is not thus handicapped. - Elbert Hubbard

Go to Top of Page

RTHJr
Here To Stay

USA
174 Posts
Status: offline

Posted - 06/06/2008 :  04:59:22 AM  Show Profile  Send RTHJr a Yahoo! Message  Reply with Quote
I have seen a dependency on Computer Accounts...well member server and domain controller accounts if I recall right...if MS Message Queing is enabled and configured to setup in AD. When I delete the Computer Account, I will get a warning that there are objects tied to the computer and they will be deleted. I am not sure exactly how the Message Queing service is managed or how it works under the hood. I also seem to recall getting a warning on managed Computer Accounts. Those are Computer Accounts you may preconfigure ahead of time before joining a computer to the domain and assign a GUID. Such is done before or apart of the RIS process of what is now called WDS in W2K3 SP2 and W2K8.

Ralph T. Howarth, Jr.
www.cfcmi.org
Go to Top of Page

RTHJr
Here To Stay

USA
174 Posts
Status: offline

Posted - 06/06/2008 :  12:43:44 PM  Show Profile  Send RTHJr a Yahoo! Message  Reply with Quote
Another computer account attribute: Bitlocker recovery password and key protectors can be written to the computer object as well. But that is of no consequence unless you plan to decrypt the old drive because you will want to hang on to the recovery information until you know that old computer's disk is decrypted. Then wacking the computer account would be fine for setting up the new computer.

Ralph T. Howarth, Jr.
www.cfcmi.org

Edited by - RTHJr on 06/09/2008 06:52:13 AM
Go to Top of Page

Pieter
Old Timer

Belgium
565 Posts
Status: offline

Posted - 06/09/2008 :  03:28:13 AM  Show Profile  Reply with Quote
Look out for DNS ! The A-record for the computer has an ACE which gives write access for the computeraccount, look at the securuty tab on the A-record. Deleting the computeraccount from AD will not remove the ACE from the A-record.
A new computeraccount with the same name will have an new SID and thus no rights on the A-record. The new PC will not be abled to update 'his' A-record.

Solution :
- delete the computeraccount and delete the A-record
or
- reset the computeraccount (no further action requiered on DNS)




Pieter Demeulemeester
Go to Top of Page

Curt
Moderator

USA
6760 Posts
Status: offline

Posted - 06/09/2008 :  1:04:45 PM  Show Profile  Visit Curt's Homepage  Reply with Quote
Great post and very common problem. In the field it really is a good Idea to reset the account IF...........

Depending on what is running on a member server there are several things to consider. SPNs would be one of them.

My practice is to create the machine account prior to joining or rejoining the machine to the forest.

But check SPNs and DNS resolution, making sure to clean up WINS and DNS entries.

Mark, that was a good response in your comment. Many admins have no idea that machine accounts have passwords.


Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro

He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20


Go to Top of Page

RTHJr
Here To Stay

USA
174 Posts
Status: offline

Posted - 06/09/2008 :  2:09:06 PM  Show Profile  Send RTHJr a Yahoo! Message  Reply with Quote
quote:
Originally posted by Pieter

Look out for DNS ! The A-record for the computer has an ACE which gives write access for the computeraccount, look at the securuty tab on the A-record. Deleting the computeraccount from AD will not remove the ACE from the A-record.
A new computeraccount with the same name will have an new SID and thus no rights on the A-record. The new PC will not be abled to update 'his' A-record.

Solution :
- delete the computeraccount and delete the A-record
or
- reset the computeraccount (no further action requiered on DNS)


So a "reset" of the computer account purges the A-record? I wonder now about resource records for say, MX or NS? Do they have to be checked on? And for DC's, there are the Active Directory "sub-domains" to look after too as Kerberos and other infrastrucutre services read and write records in those places.

Ralph T. Howarth, Jr.
www.cfcmi.org
Go to Top of Page

Curt
Moderator

USA
6760 Posts
Status: offline

Posted - 06/09/2008 :  2:15:59 PM  Show Profile  Visit Curt's Homepage  Reply with Quote
No, the records stay. But, if roles and names and IPs change then make the changes in DNS and WINS.

Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro

He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20


Go to Top of Page

Pieter
Old Timer

Belgium
565 Posts
Status: offline

Posted - 06/10/2008 :  06:52:40 AM  Show Profile  Reply with Quote
Like Curt said : no, reseting (nor deleting) a computer account does not delete the A-record. The record stays with his ACL. The new PC which will be linked with the computer account and will be able to update the A-record. That's a good thing.

An example :
1. Install PC1 and join it to the domain
=> object PC1 is created in domain, SID-12345
=> A-record PC1=10.10.10.1 is created in DNS
=> object PC1 has wright access (based on SID-12345) on the A-record PC1 and can update it

2. reset object PC1
=> object PC1 stays with SID-12345
=> A-record PC1 stays

3. throw away computer PC1. The hardware box, not the AD-object !

4. Install a new computer, join it to the domain as PC1
=> new computer will be linked with object PC1
=> object PC1 still has SID-12345
=> PC1 can update A-record PC1

bold=the hardware box
blue=computerobject in AD
red=A-record in DNS




Pieter Demeulemeester
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.17 seconds. Snitz Forums 2000