Общая ошибка сети при изменении имени компьютера

при изменении имени компьютера произошла ошибка учетная запись уже существует

• Вопрос

• Привет ВСЕМ!

  Вообщем ошибка как в теме, проблема в том что компьютера в АД нету, НО при намерении назвать его именем выбивает, что такая учетная запись уже существует, происходило единично с некоторыми компьютерами независимо от ОС, домен На 2008Р2 энт…

All replies

• Hello,

  it seems that replication is not done between the DCs when you try to use the same name, so give it some time for replication, especially if they are on different sites.

  Also check that all records from DNS zones are removed from the machines.

  Are the machines created from images/clones that are not prepared with sysprep?

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP — Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• You can reset the computer account in AD i.e in ADUC right click on computer object and select reset or delete the computer object from AD and force the replication between DC and then try the same.Also you need to check the duplicate record in DNS if
  any and delete the same before you proceed joining the PC to domain.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

  • Proposed as answer by

    Wednesday, April 8, 2015 1:49 AM

• Hi,

  When you remove old computer account from AD make sure that the change is replicated to another DC. Before renaming DC, ensure that replaced DC entries are not present in DNS and ADSEDIT.

  ---

  Best regards,

  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees and confers no rights.

• Replication is doing fine…. as shows repadmin /showrepl, and i gave it more than enough time, because i`he cheked
  it after a few days…

  Ive checked DNS, there was no those machines.

  Maybe they were prepered with sysprep, i don`t realy remember, How that could cause a problem?

• We have domain on 2 DC`s(1 is GC and the 2nd is DC(Server 2008r2 ent)), Sometimes we need to replace old computers to the new ones. But they have to to be named like the old ones. So sometimes after removing old comuter from the AD, we still have
  an error message «Can`t rename, computer account is already exists» where else should we remove it????????

  When computer is disjoint from the domain or member system is crashed its computer object still exists in the AD in the disabled state & it is only deleted at the later point. Also, its host records & pointer records exists in the DNS. Without cleaning
  those reference, you can’t rename a new system to the old one. If you still attempt it then the secure channel will be broken along with duplicate SPN issue might occur.

  You need to delete the computer object from the AD & records from the DNS, wait at least one replication cycle to be completed for the changes to be reflected to any other DC before you can reuse the name.

  ---

  Awinish Vishwakarma — MVP

  
  

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Look i`ve cheked in on both DC`s dsa.msc, dasiedit.msc, and in the DNS records too, there were no those computers, so maybe someone Knew if there is a way maybe in powershell to make search in ldap of those machines accounts??????

• How is the machine prepared clean OS install or prepared by clone or imaging without sysprep?
  The Machine SID Duplication Myth (and Why Sysprep Matters)
  http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• We are using WDS server, with prepered images(with sysprep of course), so you think, i should check out for dublicated SIDS?

  Sandesh if you would be on my place how would you do that?

  • Edited by
    Gvintik
    Thursday, October 4, 2012 10:04 AM

• • Proposed as answer by
    Yan Li_
    Monday, October 8, 2012 7:38 AM
  • Unproposed as answer by
    Gvintik
    Monday, October 8, 2012 9:04 AM

• Sandesh ive got the list by this command Get-ADComputer -Filter {Name -like «*»} | Select Name,SID | Format-Table -Auto

  But there are no matches in this list, if i understood correctly one of my computers have SID that matches with name that i need, but some how it has another name, so how could i figure that?????

• Try to connect the dsa.msc to both DC´s and check if the Computer account is deleted on both. You can change the connection point in this menu 

• Replication is doing fine…. as shows repadmin /showrepl, and i gave it more than enough time, because i`he cheked
  it after a few days…

  Ive checked DNS, there was no those machines.

  Maybe they were prepered with sysprep, i don`t realy remember, How that could cause a problem?

  Just to add about replication, is if you have multiple Sites and the console or DC you are connecting to is in another Site, and the replicaiton frequency is at the default 180 min (3 hours), you will need to wait for replication to occur. Evenif you were
  to right-click a connection object and choose replicate now, it will still wait until the next schedule. I’ve seen this in larger environments with multiple DCs and Sites, and this includes making changes to GPOs, since no matter what DC you’re connected to
  working on a GPO, it’s really talking to the PDC Emulator (which can be changed), and the PDC may be in another Site, and the GPO hasn’t replicated yet.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  
  
  

• Try to connect the dsa.msc to both DC´s and check if the Computer account is deleted on both. You can change the connection point in this menu 

  Yes, i `ve done that, read carefully Thread  please

• Replication is doing fine…. as shows repadmin /showrepl, and i gave it more than enough time, because i`he cheked
  it after a few days…

  Ive checked DNS, there was no those machines.

  Maybe they were prepered with sysprep, i don`t realy remember, How that could cause a problem?

  Just to add about replication, is if you have multiple Sites and the console or DC you are connecting to is in another Site, and the replicaiton frequency is at the default 180 min (3 hours), you will need to wait for replication to occur. Evenif you were
  to right-click a connection object and choose replicate now, it will still wait until the next schedule. I’ve seen this in larger environments with multiple DCs and Sites, and this includes making changes to GPOs, since no matter what DC you’re connected to
  working on a GPO, it’s really talking to the PDC Emulator (which can be changed), and the PDC may be in another Site, and the GPO hasn’t replicated yet.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  We set replication on every 15 min, and i `ve waited for a few days still no luck! so if your advice is to wait, we `have already tried that!

• At this point of time I would recommend to check the health of DC and run dcdiag /q and repadmin /replsum and post the log with IPconfig /all details of DC and problematic computer.I would also recommend to connect to ADSIedit and check does the computer
  object name exist and delete the same if any.Also try searching the computer object form ADUC.Click on Root domain name(example.com) and perfrom the search computer search it may be the case it may be in some other OU.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• Sandesh i`ll post all that you listed a little bit later, but the thing is that there is no problem computer, there is problem machine name, because i can`t name any machine with this name!

• So here is repadmin /replsum on GC
   GC                    10m:30s    0 /   5    0
   DC                    10m:42s    0 /   5    0
   GC                     10m:42s    0 /   5    0
   DC                     10m:26s    0 /   5    0

  And the same on the DC

   GC                     12m:36s    0 /   5    0
   DC                     12m:48s    0 /   5    0
   GC                     12m:53s    0 /   5    0
   DC                     12m:38s    0 /   5    0

  dcdiag /q showed nothing(errors i mean)

  I`ve already said that i there s no machine with problem name in ADUC(i`ve looked there with search) and adsiedit

  And tell me why do you need ipconfig /all? because there`s nothing wrong with connectivity! i`m very sure about that!

• The log you posted indicates that there is no replication issue between the DC’s.Can you try assigning the same computername to other host machince and check are you recieving the same error message?

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• We have domain on 2 DC`s(1 is GC and the 2nd is DC(Server 2008r2 ent)), Sometimes we need to replace old computers to the new ones. But they have to to be named like the old ones. So sometimes after removing old comuter from the AD, we still have
  an error message «Can`t rename, computer account is already exists» where else should we remove it????????

  Are you using WINS? If the name is still registered, it may cause it.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  
  
  

• The log you posted indicates that there is no replication issue between the DC’s.Can you try assigning the same computername to other host machince and check are you recieving the same error message?

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

  Yes, on the other machine, we have the same message, and we`ve found out that the entry of the computer is in OU=Deleted, how can we delete it from there, i know that we can reanimate deleted object form AD recycle bin, but how could delete it from there?!

• We have domain on 2 DC`s(1 is GC and the 2nd is DC(Server 2008r2 ent)), Sometimes we need to replace old computers to the new ones. But they have to to be named like the old ones. So sometimes after removing old comuter from the AD, we still have an error
  message «Can`t rename, computer account is already exists» where else should we remove it????????

  Are you using WINS? If the name is still registered, it may cause it.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  We have no WINS

• The log you posted indicates that there is no replication issue between the DC’s.Can you try assigning the same computername to other host machince and check are you recieving the same error message?

  ---

  Best Regards,

  Sandesh Dubey.

  Yes, on the other machine, we have the same message, and we`ve found out that the entry of the computer is in OU=Deleted, how can we delete it from there, i know that we can reanimate deleted object form AD recycle bin, but how could delete it from there?!

  Deleting Objects from Active Directory Using Ldp.exe
  http://support.microsoft.com/kb/244344

  Also once the object are deleted it is mark for deletion for later time.It is not recommend to delete the deleted container object directly instead you can view the deleted container and you see any conflicting object this could be due to lingering object.
  http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
  http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• I`ve changed the tomblifetime to it`s min value(3 days), so i am waiting for result…. 

• I`ve checked tombstonelifetime is 3, and i`ve checked that AD recyclebin is disabled, and after 6 days still  we have that problem machine account in CN=deleted, help people!?

• Can you post the output of

  adfind -b “CN=Deleted Objects,DC=yourdomain,DC=com” -f “(objectClass=computer)” -showdel sAMAccountName

  and

  adfind -b “DC=yourdomain,DC=com” -f “&(objectCategory=computer)(sAMAccountName=computer_name)”

  where computer_name is the name of the computer in question?

  hth
  Marcin

• dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Here is an output, with all computer names in output list of that command, we have that kind of problem……

• Post the output of

  adfind -sc policies

  hth
  Marcin

• dn:CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com
  >tombstoneLifetime: 3
  >sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicato
  r,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,m
  essenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasm
  an,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dco
  m,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,
  iisadmin,msdtc
  >msDS-Other-Settings: DisableVLVSupport=0
  >msDS-Other-Settings: DynamicObjectMinTTL=900
  >msDS-Other-Settings: DynamicObjectDefaultTTL=86400

  dn:CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,
  CN=Services,CN=Configuration,DC=mydomain,DC=com
  >lDAPAdminLimits: MaxValRange=1500
  >lDAPAdminLimits: MaxReceiveBuffer=10485760
  >lDAPAdminLimits: MaxDatagramRecv=4096
  >lDAPAdminLimits: MaxPoolThreads=4
  >lDAPAdminLimits: MaxResultSetSize=262144
  >lDAPAdminLimits: MaxTempTableSize=10000
  >lDAPAdminLimits: MaxQueryDuration=120
  >lDAPAdminLimits: MaxPageSize=1000
  >lDAPAdminLimits: MaxNotificationPerConn=5
  >lDAPAdminLimits: MaxActiveQueries=20
  >lDAPAdminLimits: MaxConnIdleTime=900
  >lDAPAdminLimits: InitRecvTimeout=120
  >lDAPAdminLimits: MaxConnections=5000

  2 Objects returned

• • Proposed as answer by
    Sandesh Dubey
    Tuesday, October 23, 2012 3:42 PM
  • Unproposed as answer by
    Gvintik
    Monday, October 29, 2012 8:56 AM

• In addition you can also restore the deleted object if it is listed by following the below KB:http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx and once the
  computer object is avaialble in AD.Right click on it and reset the computer object and try to add the PC to domain.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• Let’s try the following:

  — configure the other domain controller as a Global Catalog — this should be the case in a single-domain forest

  — force the garbage collection by following
  http://blogs.technet.com/b/ad/archive/2009/03/24/taking-out-the-trash.aspx

  Check the list of deleted objects again afterwards.

  If this does not provide the resolution, restore the tombstone of one of the deleted computers (follow
  http://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx ), rename it , and delete it

  hth
  Marcin

  i`ve tried all of that except, configuring other Dc as GC, i ve found an article
  http://technet.microsoft.com/en-us/library/cc737269(v=ws.10).aspx it says that nothing would happen if two DC`s will be GC`s, but it vad not been written that this article
  aplies to win2008r2 only to earliests OS`s, so i`m affraid if something wrong will happen if i will promote another DC to GC, or i`m wrong??!

  I couldn`t force garbage collection, but i`ve enabled log as you said, and it seems to be no trouble with it….

  about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries»

  The same thing is about the article that Sandesh Dubey had linked «http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx»
  if i am not wrong, i should go to Configuration in tree of ldp and then to the Deleted Objects, but it says that there is no children.

  Please people be patience with me, i really am need your help!

• Let’s try the following:

  — configure the other domain controller as a Global Catalog — this should be the case in a single-domain forest

  — force the garbage collection by following http://blogs.technet.com/b/ad/archive/2009/03/24/taking-out-the-trash.aspx

  Check the list of deleted objects again afterwards.

  If this does not provide the resolution, restore the tombstone of one of the deleted computers (followhttp://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx ),
  rename it , and delete it

  hth
  Marcin

  i`ve tried all of that except, configuring other Dc as GC, i ve found an article http://technet.microsoft.com/en-us/library/cc737269(v=ws.10).aspx it
  says that nothing would happen if two DC`s will be GC`s, but it vad not been written that this article aplies to win2008r2 only to earliests OS`s, so i`m affraid if something wrong will happen if i will promote another DC to GC, or i`m wrong??!

  I couldn`t force garbage collection, but i`ve enabled log as you said, and it seems to be no trouble with it….

  about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries»

  The same thing is about the article that Sandesh Dubey had linked «http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx»
  if i am not wrong, i should go to Configuration in tree of ldp and then to the Deleted Objects, but it says that there is no children.

  Please people be patience with me, i really am need your help!

• You can use below ADrestore tool and restore the Computer object in question.http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx

  Once done right click the computer object and reset.Once done try to join the worksation with same computer name.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• I’m missing something here — first you were stating that you are seeing an object with the same sAMAccountName

  ‘dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Here is an output, with all computer names in output list of that command, we have that kind of problem……’

  and now you apparently can not find them

  ‘about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries’

  Which one is it?

  hth
  Marcin

• I’m missing something here — first you were stating that you are seeing an object with the same sAMAccountName

  ‘dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Here is an output, with all computer names in output list of that command, we have that kind of problem……’

  and now you apparently can not find them

  ‘about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries’

  Which one is it?

  hth
  Marcin

  dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  this output is from adfind utility, and i can`t find them throw ldp.exe, the problem is still in, that i can`t use names of the computers in those output list, and one of the things people suggested me to do, to solve my problem, was restoring tombstone,
  which i was unable to do…

  Did i answer your quation?

• If you can find the deleted objects using adfind, then try restoring them using admod (also from joeware.net)

  adfind -default -f «&(name=computer_name*)» -showdel -dsq |admod -undel

  hth
  Marcin

• As suggested earlier have you tried below link to restore the computer object:You can use below ADrestore tool and restore the Computer object in question.

  http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx. and once the computer object is avaialble in AD.Right click on it and reset the computer object and try to add the PC to domain.

  Also i would recommend to check the Directory service event log are you getting any errors and warning related to AD database.Please post the error if any.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• AdrestoreNeT «can`t find anything to restore», but throw adrestore(cmd utility) «adrestore -r computername» it says that operation is successful, «adfind
  -default -f «&(name=computer_name*)»
  -showdel -dsq |admod -undel», throw this command i also get

  «DN Count: 0

  No object DNs to update.

  The command completed successfully.«

  , but still i can`t find this computer name entry in aduc….

  • Edited by
    Gvintik
    Monday, November 5, 2012 1:59 PM

• You stated earlier that you were getting the following output of adfind:

  dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Is this still the case?

  If not, then apparently the deleted entries already have been scavenged.

  If yes, then admod should process those entries (i.e. the count should be larger than 0)

  hth
  Marcin

• Yes it is still the case.

  How can i do this via admod?

• Pipe the output of adfind to admod with the -undel switch, followed by the OU where the computer accounts should be undeleted to — e.g.

  adfind -default -f «&(name=compa*)» -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net

  as per http://www.joeware.net/freetools/tools/admod/usage.htm

  hth
  Marcin

• Pipe the output of adfind to admod with the -undel switch, followed by the OU where the computer accounts should be undeleted to — e.g.

  adfind -default -f «&(name=compa*)» -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net

  as per http://www.joeware.net/freetools/tools/admod/usage.htm

  hth
  Marcin

  Here s an output of that command 

  «AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

  DN Count: 0

  No object DNs to update.

  The command completed successfully.»

  If I `ve unerstood correctly it took no effect?

  • Edited by
    Gvintik
    Thursday, November 8, 2012 7:06 AM
    grama mistake
  • Proposed as answer by
    nonlinearly
    Sunday, September 8, 2013 4:01 PM

• All these for a simple pc substitution? Pure Microsoft.. what a shame…

• This worked perfectly!  Thanks!

• Hello
  Try running the command line on the domain controllers and run the command:

  setspn -L «your_domain_controler_name»

  Do this for every domain controller you own. Check if there are no entries in the responses to the server name that you no longer have. If the setspn -L command shows some entry for a server that you do not already have, delete this entry with the setspn -D
  command «entry name» «domain_controller_name». Wait for the data to be replicated between the controllers. Try to change the server name.

• it’s 2018 and this is still happening??

  anyway, i had the same problem and found out the offending computer using:

  adfind -h dc01 -gc -b «DC=ACME,DC=com» -f «&(objectCategory=computer)(sAMAccountName=bugs$)»

  LO and BEHOLD! there is a computer named «bbugs» which for reasons i can’t explain is being considered a duplicate when i rename a computer to «bugs»!!!????

  god save us.

  • Proposed as answer by
    Reno Mardo
    Wednesday, March 28, 2018 9:59 AM

All replies

• Hello,

  it seems that replication is not done between the DCs when you try to use the same name, so give it some time for replication, especially if they are on different sites.

  Also check that all records from DNS zones are removed from the machines.

  Are the machines created from images/clones that are not prepared with sysprep?

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP — Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• You can reset the computer account in AD i.e in ADUC right click on computer object and select reset or delete the computer object from AD and force the replication between DC and then try the same.Also you need to check the duplicate record in DNS if
  any and delete the same before you proceed joining the PC to domain.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

  • Proposed as answer by

    Wednesday, April 8, 2015 1:49 AM

• Hi,

  When you remove old computer account from AD make sure that the change is replicated to another DC. Before renaming DC, ensure that replaced DC entries are not present in DNS and ADSEDIT.

  ---

  Best regards,

  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees and confers no rights.

• Replication is doing fine…. as shows repadmin /showrepl, and i gave it more than enough time, because i`he cheked
  it after a few days…

  Ive checked DNS, there was no those machines.

  Maybe they were prepered with sysprep, i don`t realy remember, How that could cause a problem?

• We have domain on 2 DC`s(1 is GC and the 2nd is DC(Server 2008r2 ent)), Sometimes we need to replace old computers to the new ones. But they have to to be named like the old ones. So sometimes after removing old comuter from the AD, we still have
  an error message «Can`t rename, computer account is already exists» where else should we remove it????????

  When computer is disjoint from the domain or member system is crashed its computer object still exists in the AD in the disabled state & it is only deleted at the later point. Also, its host records & pointer records exists in the DNS. Without cleaning
  those reference, you can’t rename a new system to the old one. If you still attempt it then the secure channel will be broken along with duplicate SPN issue might occur.

  You need to delete the computer object from the AD & records from the DNS, wait at least one replication cycle to be completed for the changes to be reflected to any other DC before you can reuse the name.

  ---

  Awinish Vishwakarma — MVP

  
  

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Look i`ve cheked in on both DC`s dsa.msc, dasiedit.msc, and in the DNS records too, there were no those computers, so maybe someone Knew if there is a way maybe in powershell to make search in ldap of those machines accounts??????

• How is the machine prepared clean OS install or prepared by clone or imaging without sysprep?
  The Machine SID Duplication Myth (and Why Sysprep Matters)
  http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• We are using WDS server, with prepered images(with sysprep of course), so you think, i should check out for dublicated SIDS?

  Sandesh if you would be on my place how would you do that?

  • Edited by
    Gvintik
    Thursday, October 4, 2012 10:04 AM

• • Proposed as answer by
    Yan Li_
    Monday, October 8, 2012 7:38 AM
  • Unproposed as answer by
    Gvintik
    Monday, October 8, 2012 9:04 AM

• Sandesh ive got the list by this command Get-ADComputer -Filter {Name -like «*»} | Select Name,SID | Format-Table -Auto

  But there are no matches in this list, if i understood correctly one of my computers have SID that matches with name that i need, but some how it has another name, so how could i figure that?????

• Try to connect the dsa.msc to both DC´s and check if the Computer account is deleted on both. You can change the connection point in this menu 

• Replication is doing fine…. as shows repadmin /showrepl, and i gave it more than enough time, because i`he cheked
  it after a few days…

  Ive checked DNS, there was no those machines.

  Maybe they were prepered with sysprep, i don`t realy remember, How that could cause a problem?

  Just to add about replication, is if you have multiple Sites and the console or DC you are connecting to is in another Site, and the replicaiton frequency is at the default 180 min (3 hours), you will need to wait for replication to occur. Evenif you were
  to right-click a connection object and choose replicate now, it will still wait until the next schedule. I’ve seen this in larger environments with multiple DCs and Sites, and this includes making changes to GPOs, since no matter what DC you’re connected to
  working on a GPO, it’s really talking to the PDC Emulator (which can be changed), and the PDC may be in another Site, and the GPO hasn’t replicated yet.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  
  
  

• Try to connect the dsa.msc to both DC´s and check if the Computer account is deleted on both. You can change the connection point in this menu 

  Yes, i `ve done that, read carefully Thread  please

• Replication is doing fine…. as shows repadmin /showrepl, and i gave it more than enough time, because i`he cheked
  it after a few days…

  Ive checked DNS, there was no those machines.

  Maybe they were prepered with sysprep, i don`t realy remember, How that could cause a problem?

  Just to add about replication, is if you have multiple Sites and the console or DC you are connecting to is in another Site, and the replicaiton frequency is at the default 180 min (3 hours), you will need to wait for replication to occur. Evenif you were
  to right-click a connection object and choose replicate now, it will still wait until the next schedule. I’ve seen this in larger environments with multiple DCs and Sites, and this includes making changes to GPOs, since no matter what DC you’re connected to
  working on a GPO, it’s really talking to the PDC Emulator (which can be changed), and the PDC may be in another Site, and the GPO hasn’t replicated yet.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  We set replication on every 15 min, and i `ve waited for a few days still no luck! so if your advice is to wait, we `have already tried that!

• At this point of time I would recommend to check the health of DC and run dcdiag /q and repadmin /replsum and post the log with IPconfig /all details of DC and problematic computer.I would also recommend to connect to ADSIedit and check does the computer
  object name exist and delete the same if any.Also try searching the computer object form ADUC.Click on Root domain name(example.com) and perfrom the search computer search it may be the case it may be in some other OU.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• Sandesh i`ll post all that you listed a little bit later, but the thing is that there is no problem computer, there is problem machine name, because i can`t name any machine with this name!

• So here is repadmin /replsum on GC
   GC                    10m:30s    0 /   5    0
   DC                    10m:42s    0 /   5    0
   GC                     10m:42s    0 /   5    0
   DC                     10m:26s    0 /   5    0

  And the same on the DC

   GC                     12m:36s    0 /   5    0
   DC                     12m:48s    0 /   5    0
   GC                     12m:53s    0 /   5    0
   DC                     12m:38s    0 /   5    0

  dcdiag /q showed nothing(errors i mean)

  I`ve already said that i there s no machine with problem name in ADUC(i`ve looked there with search) and adsiedit

  And tell me why do you need ipconfig /all? because there`s nothing wrong with connectivity! i`m very sure about that!

• The log you posted indicates that there is no replication issue between the DC’s.Can you try assigning the same computername to other host machince and check are you recieving the same error message?

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• We have domain on 2 DC`s(1 is GC and the 2nd is DC(Server 2008r2 ent)), Sometimes we need to replace old computers to the new ones. But they have to to be named like the old ones. So sometimes after removing old comuter from the AD, we still have
  an error message «Can`t rename, computer account is already exists» where else should we remove it????????

  Are you using WINS? If the name is still registered, it may cause it.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  
  
  

• The log you posted indicates that there is no replication issue between the DC’s.Can you try assigning the same computername to other host machince and check are you recieving the same error message?

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

  Yes, on the other machine, we have the same message, and we`ve found out that the entry of the computer is in OU=Deleted, how can we delete it from there, i know that we can reanimate deleted object form AD recycle bin, but how could delete it from there?!

• We have domain on 2 DC`s(1 is GC and the 2nd is DC(Server 2008r2 ent)), Sometimes we need to replace old computers to the new ones. But they have to to be named like the old ones. So sometimes after removing old comuter from the AD, we still have an error
  message «Can`t rename, computer account is already exists» where else should we remove it????????

  Are you using WINS? If the name is still registered, it may cause it.

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP — Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  We have no WINS

• The log you posted indicates that there is no replication issue between the DC’s.Can you try assigning the same computername to other host machince and check are you recieving the same error message?

  ---

  Best Regards,

  Sandesh Dubey.

  Yes, on the other machine, we have the same message, and we`ve found out that the entry of the computer is in OU=Deleted, how can we delete it from there, i know that we can reanimate deleted object form AD recycle bin, but how could delete it from there?!

  Deleting Objects from Active Directory Using Ldp.exe
  http://support.microsoft.com/kb/244344

  Also once the object are deleted it is mark for deletion for later time.It is not recommend to delete the deleted container object directly instead you can view the deleted container and you see any conflicting object this could be due to lingering object.
  http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
  http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• I`ve changed the tomblifetime to it`s min value(3 days), so i am waiting for result…. 

• I`ve checked tombstonelifetime is 3, and i`ve checked that AD recyclebin is disabled, and after 6 days still  we have that problem machine account in CN=deleted, help people!?

• Can you post the output of

  adfind -b “CN=Deleted Objects,DC=yourdomain,DC=com” -f “(objectClass=computer)” -showdel sAMAccountName

  and

  adfind -b “DC=yourdomain,DC=com” -f “&(objectCategory=computer)(sAMAccountName=computer_name)”

  where computer_name is the name of the computer in question?

  hth
  Marcin

• dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Here is an output, with all computer names in output list of that command, we have that kind of problem……

• Post the output of

  adfind -sc policies

  hth
  Marcin

• dn:CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com
  >tombstoneLifetime: 3
  >sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicato
  r,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,m
  essenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasm
  an,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dco
  m,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,
  iisadmin,msdtc
  >msDS-Other-Settings: DisableVLVSupport=0
  >msDS-Other-Settings: DynamicObjectMinTTL=900
  >msDS-Other-Settings: DynamicObjectDefaultTTL=86400

  dn:CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,
  CN=Services,CN=Configuration,DC=mydomain,DC=com
  >lDAPAdminLimits: MaxValRange=1500
  >lDAPAdminLimits: MaxReceiveBuffer=10485760
  >lDAPAdminLimits: MaxDatagramRecv=4096
  >lDAPAdminLimits: MaxPoolThreads=4
  >lDAPAdminLimits: MaxResultSetSize=262144
  >lDAPAdminLimits: MaxTempTableSize=10000
  >lDAPAdminLimits: MaxQueryDuration=120
  >lDAPAdminLimits: MaxPageSize=1000
  >lDAPAdminLimits: MaxNotificationPerConn=5
  >lDAPAdminLimits: MaxActiveQueries=20
  >lDAPAdminLimits: MaxConnIdleTime=900
  >lDAPAdminLimits: InitRecvTimeout=120
  >lDAPAdminLimits: MaxConnections=5000

  2 Objects returned

• • Proposed as answer by
    Sandesh Dubey
    Tuesday, October 23, 2012 3:42 PM
  • Unproposed as answer by
    Gvintik
    Monday, October 29, 2012 8:56 AM

• In addition you can also restore the deleted object if it is listed by following the below KB:http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx and once the
  computer object is avaialble in AD.Right click on it and reset the computer object and try to add the PC to domain.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• Let’s try the following:

  — configure the other domain controller as a Global Catalog — this should be the case in a single-domain forest

  — force the garbage collection by following
  http://blogs.technet.com/b/ad/archive/2009/03/24/taking-out-the-trash.aspx

  Check the list of deleted objects again afterwards.

  If this does not provide the resolution, restore the tombstone of one of the deleted computers (follow
  http://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx ), rename it , and delete it

  hth
  Marcin

  i`ve tried all of that except, configuring other Dc as GC, i ve found an article
  http://technet.microsoft.com/en-us/library/cc737269(v=ws.10).aspx it says that nothing would happen if two DC`s will be GC`s, but it vad not been written that this article
  aplies to win2008r2 only to earliests OS`s, so i`m affraid if something wrong will happen if i will promote another DC to GC, or i`m wrong??!

  I couldn`t force garbage collection, but i`ve enabled log as you said, and it seems to be no trouble with it….

  about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries»

  The same thing is about the article that Sandesh Dubey had linked «http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx»
  if i am not wrong, i should go to Configuration in tree of ldp and then to the Deleted Objects, but it says that there is no children.

  Please people be patience with me, i really am need your help!

• Let’s try the following:

  — configure the other domain controller as a Global Catalog — this should be the case in a single-domain forest

  — force the garbage collection by following http://blogs.technet.com/b/ad/archive/2009/03/24/taking-out-the-trash.aspx

  Check the list of deleted objects again afterwards.

  If this does not provide the resolution, restore the tombstone of one of the deleted computers (followhttp://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx ),
  rename it , and delete it

  hth
  Marcin

  i`ve tried all of that except, configuring other Dc as GC, i ve found an article http://technet.microsoft.com/en-us/library/cc737269(v=ws.10).aspx it
  says that nothing would happen if two DC`s will be GC`s, but it vad not been written that this article aplies to win2008r2 only to earliests OS`s, so i`m affraid if something wrong will happen if i will promote another DC to GC, or i`m wrong??!

  I couldn`t force garbage collection, but i`ve enabled log as you said, and it seems to be no trouble with it….

  about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries»

  The same thing is about the article that Sandesh Dubey had linked «http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx»
  if i am not wrong, i should go to Configuration in tree of ldp and then to the Deleted Objects, but it says that there is no children.

  Please people be patience with me, i really am need your help!

• You can use below ADrestore tool and restore the Computer object in question.http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx

  Once done right click the computer object and reset.Once done try to join the worksation with same computer name.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• I’m missing something here — first you were stating that you are seeing an object with the same sAMAccountName

  ‘dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Here is an output, with all computer names in output list of that command, we have that kind of problem……’

  and now you apparently can not find them

  ‘about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries’

  Which one is it?

  hth
  Marcin

• I’m missing something here — first you were stating that you are seeing an object with the same sAMAccountName

  ‘dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Here is an output, with all computer names in output list of that command, we have that kind of problem……’

  and now you apparently can not find them

  ‘about the restoring tombstone…. i ve stuck on the step when i should search the deleted object, because search result «getting 0 entries’

  Which one is it?

  hth
  Marcin

  dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  this output is from adfind utility, and i can`t find them throw ldp.exe, the problem is still in, that i can`t use names of the computers in those output list, and one of the things people suggested me to do, to solve my problem, was restoring tombstone,
  which i was unable to do…

  Did i answer your quation?

• If you can find the deleted objects using adfind, then try restoring them using admod (also from joeware.net)

  adfind -default -f «&(name=computer_name*)» -showdel -dsq |admod -undel

  hth
  Marcin

• As suggested earlier have you tried below link to restore the computer object:You can use below ADrestore tool and restore the Computer object in question.

  http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx. and once the computer object is avaialble in AD.Right click on it and reset the computer object and try to add the PC to domain.

  Also i would recommend to check the Directory service event log are you getting any errors and warning related to AD database.Please post the error if any.

  ---

  Best Regards,

  Sandesh Dubey.

  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
  My Blog

  Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

• AdrestoreNeT «can`t find anything to restore», but throw adrestore(cmd utility) «adrestore -r computername» it says that operation is successful, «adfind
  -default -f «&(name=computer_name*)»
  -showdel -dsq |admod -undel», throw this command i also get

  «DN Count: 0

  No object DNs to update.

  The command completed successfully.«

  , but still i can`t find this computer name entry in aduc….

  • Edited by
    Gvintik
    Monday, November 5, 2012 1:59 PM

• You stated earlier that you were getting the following output of adfind:

  dn:CN=ComputerNameADEL:a642cb8a-ac1d-4bdc-b6cc-dcec7f7bfaab,CN=Deleted Objects,DC=boris,DC=ua
  >sAMAccountName: ComputerName$

  Is this still the case?

  If not, then apparently the deleted entries already have been scavenged.

  If yes, then admod should process those entries (i.e. the count should be larger than 0)

  hth
  Marcin

• Yes it is still the case.

  How can i do this via admod?

• Pipe the output of adfind to admod with the -undel switch, followed by the OU where the computer accounts should be undeleted to — e.g.

  adfind -default -f «&(name=compa*)» -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net

  as per http://www.joeware.net/freetools/tools/admod/usage.htm

  hth
  Marcin

• Pipe the output of adfind to admod with the -undel switch, followed by the OU where the computer accounts should be undeleted to — e.g.

  adfind -default -f «&(name=compa*)» -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net

  as per http://www.joeware.net/freetools/tools/admod/usage.htm

  hth
  Marcin

  Here s an output of that command 

  «AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

  DN Count: 0

  No object DNs to update.

  The command completed successfully.»

  If I `ve unerstood correctly it took no effect?

  • Edited by
    Gvintik
    Thursday, November 8, 2012 7:06 AM
    grama mistake
  • Proposed as answer by
    nonlinearly
    Sunday, September 8, 2013 4:01 PM

• All these for a simple pc substitution? Pure Microsoft.. what a shame…

• This worked perfectly!  Thanks!

• Hello
  Try running the command line on the domain controllers and run the command:

  setspn -L «your_domain_controler_name»

  Do this for every domain controller you own. Check if there are no entries in the responses to the server name that you no longer have. If the setspn -L command shows some entry for a server that you do not already have, delete this entry with the setspn -D
  command «entry name» «domain_controller_name». Wait for the data to be replicated between the controllers. Try to change the server name.

• it’s 2018 and this is still happening??

  anyway, i had the same problem and found out the offending computer using:

  adfind -h dc01 -gc -b «DC=ACME,DC=com» -f «&(objectCategory=computer)(sAMAccountName=bugs$)»

  LO and BEHOLD! there is a computer named «bbugs» which for reasons i can’t explain is being considered a duplicate when i rename a computer to «bugs»!!!????

  god save us.

  • Proposed as answer by
    Reno Mardo
    Wednesday, March 28, 2018 9:59 AM