This is just a general observation as this topic comes up every so often.
Funny that people bring up this blog post when dealing with or talking about “duplicate SIDs”. Especially in a forum that deals with WSUS. Seems to me that most of these people are just repeating what someone else has said and have never read the whole blog post. If they did, and remembered what they read, they would have seen this from Mark. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft's support policy will still require cloned systems to be made unique with Sysprep. In fact, he mentions it twice in the post. So I guess it must be important. :) Our 2012 R2 Standard images have been sysprepped and I haven’t seen this issue with those images. Art DeKneef Avanti Computers Mesa, AZ From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, August 5, 2015 9:02 AM To: [email protected] Subject: Re: [NTSysADM] Fwd: Win 2012 client registration problems to WSUS v3 Win 2008 server On Wed, Aug 5, 2015 at 11:47 AM, Webster <[email protected] <mailto:[email protected]> > wrote: I am new to building and maintaining ESXi in my lab (ESXi 6.0.0b) but I never got the sysprep part of the VMware stuff to work for Win81 or Server 2012+ (haven't tried Win10 yet). I learned to manually run sysprep instead. Mark Russinovich says it isn't necessary to generate a new SID .. http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx if anyone would know, you'd think it would be him. Or Mark Minasi, maybe. About sysprepping, tho - when I create a new VM from a template, I do see it apply sysprep. You can tell - you power it up for the first time, wait 1 minute, it will automatically reboot, saying "Applying image customizations". I haven't needed to run sysprep on 2012 manually. And only now have I had to delete the SUS client ID manually. Specifically, these 2 keys: REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f These 2: REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f came back and said "Unable to find the specified key". This was on Win2012 R2. Webster _____ From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of Michael Leone <[email protected] <mailto:[email protected]> > Sent: Wednesday, August 5, 2015 10:33 AM To: [email protected] <mailto:[email protected]> Subject: Re: [NTSysADM] Fwd: Win 2012 client registration problems to WSUS v3 Win 2008 server They are VMs, created form a VMware Template. It runs sysprep as part of the creation process, yes (or is supposed to, maybe the sysprepping isn't working for Win2012). On Wed, Aug 5, 2015 at 10:55 AM, Andrew S. Baker <[email protected] <mailto:[email protected]> > wrote: Were these boxes cloned from one another? http://blogs.technet.com/b/csstwplatform/archive/2012/05/28/wsus-script-to-delete-duplicate-sid-created-by-disk-imaging-disk-cloning.aspx That was it, yes. The first 2 deletes failed, saying key doesn't exist, but the 3rd one passed, and do a "resetauthorization" and "detectnow" did work, and all showed up properly. Not sure what is different in my Win2012 template as opposed to my Win2008 template (only the Win2012 VMs showed a problem, not the Win2008 VMs), but I can dig into that, and make it a point to run this script as part of the rollout process. Thanks ASB <http://xeeme.com/AndrewBaker> http://XeeMe.com/AndrewBaker Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… On Wed, Aug 5, 2015 at 10:35 AM, Michael Leone <[email protected] <mailto:[email protected]> > wrote: I have a WSUS v3.2.7600.226 server, running on Win 2008 R2. It has 150+ clients, including some Win 2012 R2 clients. All has been working fine for a few years. Now I am seeing an odd problem. Yesterday I created 2 new Win 2012 R2 clients, and Group Policy set them to use the WSUS server, as usual. But the odd thing: Only 1 client at a time shows up, they both won't show at the same time. Here's what I mean: 2 clients, SERVER8 and SERVER9. Neither was showing up in the "All Computers" group, so I went to each, restarted the BITS and Windows Update service, and issued a "wuauclt /resetauthorization /detectnow". This is what I usually do for Win 2008 R2 clients, who are having problems communicating with the WSUS server. So I did that on SERVER8, and it then showed up in WSUS. I then did the same on SERVER9. Oddly, SERVER8 then disappeared from WSUS, and SERVER9 showed up. It's like I can have one or the other, but not both at the same time. :-) DNS is correct, each shows the proper IP address (when it does show up). I see nothing in the Windows Event Logs of the WSUS server. I don't see any errors in the WindowsUpdate.log file of the server. And I see no errors in that file on the clients - in fact, I see things like "4 updates detected", but nothing after to indicate why it's dropping off the list. Ideas? Where to go next?
