So I updated the Windows image, along with a couple of programs and settings, issuing the usual PowerShell commands beforehand, such as defprof global-admin, then Reset-ComputerMachinePassword -Credential global-admin, then restarting with linbo and creating an image. Since then, however, the trust domain connection has been lost on all machines except the original machine that had this image. Is this normal behavior? Leaving and rejoining the domain and the Reset-ComputerMachinePassword -Credential global-admin command do not help. Is there anything you can do other than reinstalling on all machines?
Edit;
I have a suspicion that I’m not fully aware of how to create a windows image using defprof global-admin settings. If I create the image before entering the domain, then there is no problem with a clean line, since each machine will still enter the domain anew, a new sid is created for each client, so there will be no domain trust problem either. Only then the default global-admin profile will not be valid, I have to enter the domain and set everything I want, then I have to go back to local admin account defprof global-admin and Reset-ComputerMachinePassword -Credential global-admin as described, but the latter will break the trust on all clients already in the domain until I clone the image again. Question, is it possible to create an image in such a way that the trust relationship is preserved, but the default profile settings of global-admin are already in effect? If I set up the global-admin profile, then exit the domain, put it back in, but don’t reboot the machine yet and create the image at that moment would that work, or since the client is not in the domain here yet will the defprof global-admin not work either?
I can’t answer your question, but I’d like to outline what it’s like in Linux (I only do linux-clients):
for the first domain-join, you need to evoke ‚sudo linuxmuster-linuxclient7 setup‘
if you do that again later, every client with that image needs to be re-synched, just as you described
if you want to change something late, you don’t evoke ‚sudo linuxmuster-linuxclient7 setup‘ again, but ‚sudo linuxmuster-linuxclient7 prepare-image -y‘
you’re basically looking for the windows equivalent of the prepare-image step without re-joining the domain
I have taken a look at the windows client documentation, but oh boy, that’s complex, I didn’t find the step you need, sorry!
Thanks, yes, Linux clients are much easier to set up (I have no problem with that), and even after an image upgrade, the domain connection of clients that have not yet been upgraded is not lost (and synchronization and reinstallation are also much faster). In fact, as long as Linbo grub, which synchronizes, is not running, you can still log into the domain with the old image-based Windows client, so synchronization is probably one of the keys here, but I’ll have to test that if I don’t get an answer here, because reinstalling over 100 Windows clients is a bit time-consuming if they all lose their domain connection at once.
This reminds me, is it possible to set Linbo so that a Linbo client seeds the image torrent even when it is not reinstalling?
i am not the best to answer, but since most ppl are on vacation i try
The way I understood it… the creation of the very first windows image is special with the domainjoin and the linbo boot there after. i think linbo extracts the machinepassword from that first domain join or sth like that and inserts it again when syncing.
So doing a new domain join into the image is not what u want since u create a new machine password then…
so ur problem misunderstanding was that u have to do the reset.computermachinepasssword every time u update your image. thats wrong. you only need to do it if you run into a problem with ur clients and they lose trust and you wanna reestablish the trust again.
so the good news is… Updating images is much easier than you thought. the bad news is… your pcs all lost trust since linbo will do the machinecomputerpassword with the new password ur reset…
I am not sure but maybe you can find a backup of your old image in the linbo directory somewhere on the server? /srv/linbo…
hhmm how can u tackle this problem now… since u dont wanna resync ur 100 computers… but hey you wanted to update the programs and wanted to sync them anyway right? maybe deactivate linbo and do it step by step?
Thanks, fortunately, I haven’t had to do this on 100+ machines yet, but that’s about how many machines will be affected by the main efi win 11 image. Anyway, when creating the image, the irritating Windows EFI and the various EFI implementations of the motherboards cause the most headaches. Older boards don’t usually have this problem, as they don’t allow Windows to override the EFI boot order, but newer ones sometimes always write themselves in first, and in some cases delete all other entries as well. There have even been cases where they physically deleted Linbo Grub, not just the boot entry. In some cases, the frocegrub noefibootmgr kernel parameter helps, and in others, if the BIOS allows boot order lock. Where neither of these work, but there is csm, I also did a Win 11 mbr installation (the trick is to reserve all 4 possible primary partitions so that it cannot create new ones, which then cannot be cloned, and you have to upgrade from Win 10 to 11).
So, returning to the topic after the Windows EFI „experience report,“ fortunately, only about a dozen machines still had the mentioned image, so no major tragedy has occurred yet, but it’s better that this has come to light now. So you’re saying that in the case of an image update, there’s no need to issue the Reset-ComputerMachinePassword -Credential global-admin command? Then the connection will not be lost even on machines with an image that has not yet been updated (and then you don’t have to suddenly reinstall all of them at once)? Previously, I had a problem with this, because if I created an image that had been already joined to the domain without it, it didn’t work without it, so I’ll have to test it to see exactly how it works…
Linbo client torrent seeding, so that it doesn’t just seed during download/reinstallation (but if I just boot into Linbo with the client for that purpose), do you have any ideas, it could significantly speed up installations.
yes: when you update Windows, you dont have to do any extrasteps.
Log in as local admin, install/upgrade Programs, upgrade Windows (although i dont know why one should do this: usually it brings Problems and no benefit), then clean up ( look in the wiki, there are hints on how to properly clean up in win10 … should apply for win11 too) and create the new Image.
Yours
Holger
Thank you very much, the system is already working productively , so I will try it out on a hardware class and image created for this purpose.
Now I am trying to bring the WiFi to life with Linbo in a smaller, separate place where we would like to use it. I am following the description, but the hardware is not getting an IP address from the WiFi at all. I am using the latest Linbo (4.2.16) for lmn 7.2. The Wi-Fi card does not need firmware because it is supported in the kernel (ath9k, I will pull it from the LAN and try to request an IP address through it as well). I edited the wpa_supplicant.conf file, then updated linbofs, edited the hardware class dhcpretry_wifi= to prioritize Wi-Fi, and added the Wi-Fi card’s MAC address to the client in devices.conf. What did I overlook? Maybe I should restart the Linbo service itself?
EDIT: I wrote wpa_supplicant.conf with a hyphen instead of an underscore. Now that it’s written correctly, it works linbo with wifi, although dhcpretry_wifi still tries the LAN first, and if I give the client a different hostname for the wifi card, the domain trust connection still doesn’t work, so I had to rewrite the MAC address for the original LAN card hostname to the WiFi card’s MAC address, otherwise it doesn’t work…
, so I will try it out on a hardware class and image created for this purpose.