.msi packages reinstall after placed back on Domain
I've taken a computer that will be used as the master template for an image, added it to the Domain, let all of the .msi packages that are assigned load up on the machine (to cut down on the amount of .msi's that need to be loaded after the image is cast at remote locations, due to bandwidth limitations), removed it from the Domain, Sysprepped it, then gathered an image from it.
The image is fine, the newly imaged machines added to the Domain --- here's where my question lies --- when the freshly imaged computers are rebooted the first time after being added to the Domain, it goes out and checks the Group policy settings and then proceeds to reinstall all of the .msi packages assigned to the GPO, but which are already on the machine. Why is that?
I understand that the GPO checks the registry to see if the computer needs an assigned package or not when applying the GPO. If the package is already present, it moves on. If not, it will install. But why then when the .msi package is already on the machine from the image will it reinstall everything the first time? Is it because it's been removed from the Domain and added back? If so, the registry entries with the path to the source .msi and the package code should still be there, AND I have not changed the location of the source, path, names, etc. -- nothing.
Like I said, the main purposes behind loading up the image with the assigned .msi's is so that they don't have to install over the WAN when a new machine is placed at a remote site. But if upon adding the PC to the Domain for the first time is going to reinstall everything, then it's a moot point. Any workarounds? Fixes? Tips? Thanks in advance.
The image is fine, the newly imaged machines added to the Domain --- here's where my question lies --- when the freshly imaged computers are rebooted the first time after being added to the Domain, it goes out and checks the Group policy settings and then proceeds to reinstall all of the .msi packages assigned to the GPO, but which are already on the machine. Why is that?
I understand that the GPO checks the registry to see if the computer needs an assigned package or not when applying the GPO. If the package is already present, it moves on. If not, it will install. But why then when the .msi package is already on the machine from the image will it reinstall everything the first time? Is it because it's been removed from the Domain and added back? If so, the registry entries with the path to the source .msi and the package code should still be there, AND I have not changed the location of the source, path, names, etc. -- nothing.
Like I said, the main purposes behind loading up the image with the assigned .msi's is so that they don't have to install over the WAN when a new machine is placed at a remote site. But if upon adding the PC to the Domain for the first time is going to reinstall everything, then it's a moot point. Any workarounds? Fixes? Tips? Thanks in advance.
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
gertitombo
17 years ago
Hi,
This problem occurs when you remove the pc and added back to Active Directory. It will give it a full check with MSI.
The MSI files will check quickly if every app is installed correctly thus this means that this installation is much faster when apps are not installed.
Regards,
Tom
This problem occurs when you remove the pc and added back to Active Directory. It will give it a full check with MSI.
The MSI files will check quickly if every app is installed correctly thus this means that this installation is much faster when apps are not installed.
Regards,
Tom
Posted by:
glum
17 years ago
which means that every new machine that is added will get the apps installed. I could be wrong, but I don't believe there is a way to clone a machine with the GPO settings included since the GPO's are tracked via the computer SID. Once the machine is readded, it will create a new SID and AD will think it needs to reinstall.
Posted by:
nheim
17 years ago
Hi Folks,
GPO install is done entirely in the domain security context. The local SID is not involved. We have lots of cloned computers, which we add to a domain without changing the SID. This is not necessary because a soon as a computer is joined to a domain, it receives an SID from the domain, trough which a secure channel is established.
And this is the problem with the GPO install: As soon as you disjoin a machine, the secure channel with the domain is deleted. On a rejoin, a new secure channel, which nothing knows about the old one, comes into play. Thats why the hole GPO installations are repeated from the very beginning. There is no "quick check" or faster install for computers that allready have been joined earlier. The hole installations are started from the beginning.
Hope this clarifies the situation.
Regards, Nick
GPO install is done entirely in the domain security context. The local SID is not involved. We have lots of cloned computers, which we add to a domain without changing the SID. This is not necessary because a soon as a computer is joined to a domain, it receives an SID from the domain, trough which a secure channel is established.
And this is the problem with the GPO install: As soon as you disjoin a machine, the secure channel with the domain is deleted. On a rejoin, a new secure channel, which nothing knows about the old one, comes into play. Thats why the hole GPO installations are repeated from the very beginning. There is no "quick check" or faster install for computers that allready have been joined earlier. The hole installations are started from the beginning.
Hope this clarifies the situation.
Regards, Nick
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.