Allowed to join an Active Directory domain a replace an existing computer object...

Toggle sidebar Toggle sidebar
mvbighead

mvbighead

Diamond Member
Apr 20, 2009
3,793
1
81
Anyone know of a setting that enables or prevents this?

Long story short, a production server of 5-10 years was able to be replaced in AD by a new server that accidentally had the same name. The problem has been corrected, but there remains the issue as to why AD allowed this to happen.

Typically, AD will reject adding a system to the domain if the name is already in use, but in this case the production server was removed from the domain, the application stopped working, and the new server (with nearly nothing on it) was allowed to take its place without so much as a blink from AD.

I could see a replication issue being a possibility, but not if the system has been present from for upwards of 5 years.
 
X

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
when you say removed from the domain, what do you mean? if you changed it from a domain to a workgroup, that removed the AD object, which would allow the new one to be created without issue
 
mvbighead

mvbighead

Diamond Member
Apr 20, 2009
3,793
1
81
Meaning that a previous computer existed with the name supplied to the new server. The new server took over that computer object, which in effect ripped the production server out of AD because its very own computer object no longer belonged to it.

Does that make sense?
 
mvbighead

mvbighead

Diamond Member
Apr 20, 2009
3,793
1
81
Just to be clear, I am used to AD saying 'Sorry, a Computer with that Name already exists. This system cannot be joined to the domain' That's not the message verbatim, but it is as close as I remember.

In short, I would prefer AD prevent the addition of a system attempting to reuse the name. I understand if two systems are added to separate sites with the same name and AD replication has not caught up. What I do not want to see is another production system be replaced in AD due to a misnamed new system.
 
J

JustMe21

Senior member
Sep 8, 2011
324
49
91
Perhaps you could have people use a powershell script to join a computer to the domain so it could check to see if the name already exists. Something like this.

Import-Module ActiveDirectory
$Computer = Get-Content env:computername
If (Get-ADObject $Computer -eq $null)
{
$User = Read-Host -Prompt "Enter user with domain joining privileges"
$Password = Read-Host -Prompt "Enter password for $user" -AsSecureString
$Domain = Read-Host -Promt "Enter the domain"
$Username = "$Domain\$User"
$Credential = New-Object System.Management.Automation.PSCredential($Username,$Password)
Add-Computer -DomainName $domain -Credential $Credential
}
else {
Write-Host "$Computer already exists in the domain"
}
 
mvbighead

mvbighead

Diamond Member
Apr 20, 2009
3,793
1
81
Not a bad thought. I am just perplexed as to why this was even allowed. I've seen this in other domains when replacing workstations and such, and most frequently it seemed you had to delete or reset the object before you could overwrite it.
 
M

mrjminer

Platinum Member
Dec 2, 2005
2,739
16
76
mvbighead said:
Not a bad thought. I am just perplexed as to why this was even allowed. I've seen this in other domains when replacing workstations and such, and most frequently it seemed you had to delete or reset the object before you could overwrite it.
Click to expand...
Another possibility to check out may be to see if the ip addresses are the same and/or if new server has mac address spoofed to old
 
X

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
mvbighead said:
Meaning that a previous computer existed with the name supplied to the new server. The new server took over that computer object, which in effect ripped the production server out of AD because its very own computer object no longer belonged to it.

Does that make sense?
Click to expand...

well, its not the same as

but in this case the production server was removed from the domain
Click to expand...

if the original server was removed from the domain then the AD entry is deleted. adding an object back with any currently unused name is fine.

The new server took over that computer object
Click to expand...

the above means you didnt remove the original server from the domain

in which case i agree--it would be puzzling.
 
mvbighead

mvbighead

Diamond Member
Apr 20, 2009
3,793
1
81
xSauronx said:
well, its not the same as



if the original server was removed from the domain then the AD entry is deleted. adding an object back with any currently unused name is fine.



the above means you didnt remove the original server from the domain

in which case i agree--it would be puzzling.
Click to expand...

You're really split hairs here. The production system was no longer a part of the domain, hence it was removed. The new system took over the computer object, removing the production system from the domain.

No, the AD object was not deleted. The system was removed from the domain because something else took it's place. However you want to look at it, AD typically prevents that action because the object is already in use.

http://i.stack.imgur.com/JxmRJ.png
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom