Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 21046 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Join an existing Sophos Anti-Virus Client from workgroup to a domain

Auto_Humanitas

Hello,

We use SEC 5.2.1 R2 and Sophos Anti-Virus 10.3.7.

We have a laptop that was in a workgroup but move to another place where we wanted to join it to a domain. On the Active Directory OU we have a auto sync so after we joined the laptop to the domain a new (unprotected) client appeared in the console.

Now 2 clients show up in the console:

1. Connected, protected client in the workgroup (old config)

2. Not connected or protected client in AD. (new config)

But offcourse it should be the other way around. It WAS part of a workgroup but now we joined it to the domain so the domain client should show up as connected and protected.

I tried deleting the workgroup client. I tried uninstalling en re-installing but it's still the same.

How can we resolve this so the client that is synchronised through AD is the one that is connected and we can delete the old workgroup installation?

Any help would be greatly appreciated!

:50692


This thread was automatically locked due to age.
  • 0

    Hello Auto_Humanitas,

    [nitpicking] let's call the one managed and the other unmanaged [/nitpicking]

    hm, would have thought the folding logic now correctly handles this situation. In the Computer Details tab - what is the value shown in the Domain/workgroup column for the endpoints?

    Christian

    :50696
  • 0

    Hello Christian,

    Thank you for your reply!

    The managed client:

    Computer name                           NB2455
    Computer description                    

    Operating system                        Windows 7
    Service pack                            Service Pack 1
    Domain/workgroup                        WORKGROUP

    The unmanaged client:

    Computer name                           NB2455
    Computer description                    

    Operating system                        Windows 7
    Service pack                            

    Domain/workgroup                        HUMANITAS

    :50702
  • 0
    Hello Auto_Humanitas,

    this looks like the computer account has been added to the OU - hence the appearance in the synched group - but the endpoint has not joined the domain. Please check on the endpoint if it is really a member of the domain.

    Christian
    :50718
  • 0

    Hello Christian,

    Yes, the computer is really a member of the domain. We never add computer accounts manually. It's added only as we make it a member of the domain. Then when it's a member of the domain, we drag the computer object to the appropriate OU.

    Peter

    :50874
  • 0

    Hello Peter,

    I see.  Dunno what could cause this misbehaviour (it might be interesting to find out so that future occurrences can be avoided).

    Start with the Network Communications Report on the endpoint (open ReportData.xml in %ProgramData%\Sophos\Remote Management System\3\Router\NetworkReport\ with a browser) and check if the domain is correct in Computer Details and make note of the RMS-Routername.

    Next take a look at the entries in the database (puts the output to a file named with the -o flag)::

    sqlcmd -E -S .\SOPHOS -d SOPHOS521 -Q "Select ID,Name,DomainName,Managed,Deleted,InsertedAt,LastMessageTime,MessageSystemAddress,IdentityTag from ComputersAndDeletedComputers where Name='NB2455'" -o outputfile.txt

     There could be more than two entries, the MessageSystemAddress corresponds to the RMS-Routername. Dunno if this will shed any light on it though.

    Christian

    :50932
  • 0

    Hello Christian,

    Thank you so much for your effort!

    I obeyed your commands :-) These are the results:

    ID	Name	DomainName	Managed Deleted InsertedAt              LastMessageTime         MessageSystemAddress  IdentityTag 

611	WS3328	HUMANITAS	1	0	2014-02-03 13:11:12.640 2014-06-11 12:18:30.000 Router$WS3328:171024  cc2cc6c8-1744-4a39-b68e-fdd6ca6a413c
693	WS3328	HUMANITAS	0	0	2014-04-01 14:39:33.813 NULL NULL

(2 rows affected)
    Computer details 
 

Report generation time ( local time )
woensdag 11 juni 2014 14:18:17 

Report generation time ( GMT )
woensdag 11 juni 2014 12:18:17 

Computer name :
WS3328  

Windows domain :
HUMANITAS  

RMS router name :
Router$WS3328:171024

     BTW: I used another computer with the exact same problem.

    :50938
  • 0

    Hello Peter,

    I obeyed your commands

    :smileytongue: excellent :smileyvery-happy: - it shows that the original item (ID 611) changed the domain membership and correctly reported it. Apparently when the computer has been imported by AD sync it hasn't been matched to the existing one. The sequence used here (join an already managed computer to a domain, drag the computer into a synced OU) doesn't seem that uncommon - thus I wonder why it produces incorrect results. Could you additionally SELECT the column OperatingSystem

    Guess it happens with all computers already managed and then joined to the domain?

    Christian

    :50942
  • 0

    Could you additionally SELECT the column OperatingSystem?

    - It both says '35'

    Guess it happens with all computers already managed and then joined to the domain?

    - That is correct, I just added my computer to the domain (WS3328) and just like you saw, its the exact same problem.

    :50946
  • 0

    Hello Peter,

    I haven't used AD Sync since 5.1 (and then only for testing), there have been some changes since then. Unfortunately I can't test this at the moment.

    Deleting one or both entries won't help - deletion is just setting a flag, the entry is still present and will be considered by the matching routines. Before I forget: I'd suggest you contact support to find out how it's supposed to work (existing managed client is joined to domain and moved to a synchronized container).

    It seems that - using solely available supported interfaces and actions - the (almost) only way to get the desired results is reprotecting the endpoint from the console once it's in the correct group (or perhaps reinstall using the -G parameter). Alternatively, giving the endpoint a "blank" identity as outlined in Computers in Enterprise Console appear to update the same record (yes, a quite different issue) might cause the sync'ed entry to be preferred over the old managed one.

    Christian

    :50984
  • 0

    Hello Christian,

    I've contacted our supplier of Sophos. They contacted Sophos in England and together we tackled the problem by doing as followed:

    1. Delete the managed computer from the console (i'm not really sure this is necessary)

2. Run \\SERVER\SophosUpdate\CIDs\S000\SAVSCFXP\Setup.exe

    By doing this, the Sophos Client will remove itself and then reïnstall.

    After that the computer is shown correctly in the Sophos Console.

    I thank you again for your effort and support!

    Peter

    :51024