Active Directory Computer Objects

Here is a legitimate question for all you people that work with Acvite Directory on a daily basis.

Computer object JBLOW is deleted from Active Directory and the machine is powered off. User Joe Blow receives a pc upgrade which is renamed to give him the same hostname as he had before, "JBLOW". All is well, the pc is joined to the domain without a problem (because we deleted his old computer object previously). But there is a problem, someone accidently powers up the replaced pc and it disjoins the newly added machine from the domain (since they both have the same hostname). You still get the typical "domain trust relationship" error before log in, so why does it kick the newly added pc off?

This scenario can be avoided, and is on most cases (by renaming the old pc or disjoining it as it is replaced). But, my concern is I thought that Active Directory was more concerned with a GUID rather than a hostname. So how would an old pc that no longer has a GUID record in a domain have authority over the new computer object (which has a new GUID)?

I would think that the PC that no longer has a GUID associated with a computer object in the domain would simply give you the "domain trust relationship" error and that be the end of it.

But this is not the case in Server 2008.

Any insight?
1 answer Last reply
More about active directory computer objects
  1. Do you have AD Recycle Bin enabled? If so, you may need to delete the computer object from the Recycle Bin. By default it stores the object up to 180 days.

    It shouldn't kick the new system off the domain though. You would likely end up with a duplicate name exists on the network, or your DNS server is allowing Dynamic updates and the system is updating the DNS record, confusing the two systems.

    By deleting the computer object and leaving the computer still joined, it would try to connect still. Likely issue is because both systems have the same name they both are kicked off. The computer that was deleted, yet still thinks it is connected, should not be able to connect to the domain. If so, you would be connecting under user credentials and not with the computer object itself.
Ask a new question

Read More

Management Domain Computers Active Directory Business Computing