locked
Longest time before client/RODC must sync with DC server RRS feed

  • Question

  • Hi, i need some info on time period before a client or RODC must sync with the DC.

    Our clients don't always have internet access, sometime they must go for a period of time before they can establish a connection to the DC. i Need to find out what that period is and if you can change it some via a policy or somthing.

    The same for a RODC, what is the longest period it can go without syncing and can you change it.

    Thanks

    Friday, June 4, 2010 7:57 AM

Answers

  • Hi,

    Please also remember that the default computer account password change period is every 30 days. If, for some reason, the computer account's password and the LSA secret are not synchronized, the secure channel between the workstation and domain controller will be broken.

    Resetting computer accounts in Windows
    http://support.microsoft.com/kb/216393

    How to use Netdom.exe to reset machine account passwords of a Windows Server domain controller
    http://support.microsoft.com/kb/325850

    If there is anything unclear, please feel free to respond back.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 11, 2010 2:03 AM

All replies

  • Howdie!
     
    On 04.06.2010 09:57, TheWall_RSA wrote:
    > Our clients don't always have internet access, sometime they must go for
    > a period of time before they can establish a connection to the DC. i
    > Need to find out what that period is and if you can change it some via a
    > policy or somthing.
     
    So there's no max time. Clients will just be happy re-connecting with
    the domain controller.
    >
    > The same for a RODC, what is the longest period it can go without
    > syncing and can you change it.
     
    For offline-DCs, things are different. They can't be offline longer than
    the tombstone lifetime that is configured in the forest. That might be
    60 days, in some cases 180 days.
    http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
     
    For RODCs, I'm not quite sure -- basically they shouldn't fall under the
    "tombstone" problem as they don't replicate changes out. They should
    happily rep-in any changes from other DCs even if the RODC were offline
    for more than the tombstone lifetime. I haven't checked that myself, though.
     
    Cheers,
    Florian
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Friday, June 4, 2010 8:22 AM
  • Hi, thanks for that.

    Firstly the AD Edit seems to be a bit different in Win 2008 R2... Cant find the policy.

    Secondly... We had it in the past that if a computer has not been logged on in while that you get a message that it cant find the DC... What do you call that? Maybe i explained myself wrong? What is that time? Can you change that?

    Thanks

     

     

    Friday, June 4, 2010 9:43 AM
  • found tombstone life it in Win 2008 in ad edit so ignore first question.

     

    Friday, June 4, 2010 9:49 AM
  • Howdie!
     
    On 04.06.2010 11:43, TheWall_RSA wrote:
    > Firstly the AD Edit seems to be a bit different in Win 2008 R2... Cant
    > find the policy.
     
    You should be able to find it - ADSIEdit hasn't chanced between the
    versions. It's in the Configuration Partition so you might need to focus
    that.
     
    > Secondly... We had it in the past that if a computer has not been logged
    > on in while that you get a message that it cant find the DC... What do
    > you call that? Maybe i explained myself wrong? What is that time? Can
    > you change that?
     
    Did you re-image these clients or re-apply an older backup? It can
    happen if you do that as the computer's AD password gets reset with AD
    every 30 days or so and if you replay an older backup, the machine won't
    be able to authenticate with its old password.
     
    The tombstoneLifeTime is essentially the amount of time AD keeps track
    of "deleted" objects before it really purges them off the directory. By
    "deleted" I mean "marked for deletion". When you delete an object, AD
    marks that as deleted in order to replicate the "delete object X" change
    to other DCs. See:
    http://technet.microsoft.com/de-de/library/cc784932(WS.10).aspx -- and
    yeah, you can change that. That's the link I sent you in the first mail.
     
    Cheers,
    Florian
     
     
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Friday, June 4, 2010 9:54 AM
  • No, it is just machines that was shutted down for a extended period of time.

    So if a client are out of office and cant connect to the DC there is no point of time where he wont be able to log onto his workstation with his domain username and password if his password does not expire?

     

     

    Friday, June 4, 2010 10:03 AM
  • That is correct.  It would be about the password expiration time of the user.

    Florian,

    I would think an RODC could get lingering objects if its source dc was unavailable beyond the tombstone lifetime.  Not positive but will check on it.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009
    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, June 4, 2010 1:41 PM
  • I did a query and an RODC can have lingering objects, but to clean them up is not really possible, since you can't modify the dc's db.  A demotion/promotion would be required.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009
    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, June 4, 2010 2:29 PM
  • Hi,

    Please also remember that the default computer account password change period is every 30 days. If, for some reason, the computer account's password and the LSA secret are not synchronized, the secure channel between the workstation and domain controller will be broken.

    Resetting computer accounts in Windows
    http://support.microsoft.com/kb/216393

    How to use Netdom.exe to reset machine account passwords of a Windows Server domain controller
    http://support.microsoft.com/kb/325850

    If there is anything unclear, please feel free to respond back.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 11, 2010 2:03 AM
  • Hi,

    How's everything going? I want to check if the information is helpful. If there is anything unclear, or if you need further assistance, please do not hesitate to respond back.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, June 15, 2010 8:47 AM
  • Very helpfull thanks.

    Think at the end a Full DC on every mobile unit will be needed.

    Thanks

     

    Tuesday, June 15, 2010 10:22 AM