none
How long can a domain member be disconnected to an AD ? (but not switched off)

    Question

  • Hi,

    I would like to know for how long a computer can stay not connected to its AD domain without having its trust relationship channel  broken  ? 

    I have read this : https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/

    I understand that there is no issue if the domain member client is switched off during several months but what's happened if the client was powered on but not connected to the AD domain ? 

    If I understand correctly, every 30 days (by default), a new password will be locally set on the computer and one old password is stored on the computer.

    So, if it is less than 60 days : "no problem", the computer will be able to recreate a secure channel with the DC (as it will give the new password and then the old one and the DC will say "OK".

    But after 60 days, what will happen ? We will have to recreate the secure channel of I am missing something ? 

    Thank you

    Thursday, January 19, 2017 4:53 PM

Answers

  • Until I find better information, my conclusion remains that any client can remain offline, whether turned on or not, indefinitely with no adverse consequence. I cannot believe that the client would change it's own password when it cannot contact a DC. I realize others say that they must rejoin computers to the domain when they have been off the domain for extended periods, but this has not been my experience. I think something else causes this.

    Even if the password on the client (and the previous password on the client) does not match the password in AD, there should be no need to rejoin the domain, or even reestablish the secure channel. I believe something else breaks the secure channel. Note the 2 passwords are said to be saved on the local client. There is one machine password in AD, plus the normal password history. And AD password history can be configured to save many more passwords than 2. However, since Windows Server 2003 AD a bad password has not incremented the badPasswordCount if it matches the previous password in password history. This prevents lockout. But AD never allows authentication with anything other than the current password. If the client tries first with the current password, and if that fails tries again with the previous password, that is one thing. But even here I believe people are confusing the normal AD password history behavior with what happens on the local computer. I begin to think there is no such thing as a previous password saved on the machine. There should be no need for it.

    The following article talks about cases where the password on the local client does not match the password in AD, and gives a script (which has been used for years) to reset the local machine password:

    https://technet.microsoft.com/en-us/library/ee198778.aspx

    But I also believe this article is incorrect, or at least incomplete, when it states:

    ===== quote =====

    Or, a computer might be offline for an extended period of time. During that time, the Active Directory password might have been changed; with the computer offline, however, the local password could not have been changed accordingly.

    ===== end of quote =====

    If some person were to reset the AD computer password, then yes, the passwords would not match. But AD will not reset the computer password unless the computer requests. I have checked the pwdLastSet attribute of a client offline for 80+ days and it remained unchanged.

    Regarding your specific question, I don't believe the computer can reset the secure channel. Instead, the claim in the blog post is that the machine tries first with the current password, the password the machine set without contacting a DC. Then if that fails it tries again with the previous password it has saved. After 60 days offline the computer sets a new password for itself, so the current and previous passwords are both wrong, and it cannot authenticate. I believe all of this is wrong. If not, there should be documentation that is not so confusing and conflicting.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Isabelle94000 Friday, January 27, 2017 2:44 PM
    Friday, January 20, 2017 3:55 PM

All replies

  • The trust should be indefinite. The password thing may be a separate issue.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, January 19, 2017 5:00 PM
  • The trust should be indefinite. The password thing may be a separate issue.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Can you tell me more please ? 

    How the computer can reset automatically its password if the trust is broken ? 

    Thursday, January 19, 2017 5:01 PM
  • "They can go indefinately, just as long as you dont log in with 10 (default) other profiles.

    Windows will cache logins and generally the default is 10.  It's a registry change to raise or lower that, but just keeping a single login profile, it should remain forever."

    https://community.spiceworks.com/topic/125365-how-long-can-a-laptop-go-without-connecting-to-the-domain


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     

    Thursday, January 19, 2017 5:04 PM
  • I dont speak about user password cache but computer password and the number of days that a computer can stay disconnected from its domain without having to recreate the trust relationship between the computer account and the domain controllers.
    • Proposed as answer by Miguel Fra Thursday, January 19, 2017 5:15 PM
    • Unproposed as answer by Miguel Fra Thursday, January 19, 2017 5:15 PM
    Thursday, January 19, 2017 5:07 PM
  • Can you tell me more please ? 

    How the computer can reset automatically its password if the trust is broken ? 

    If the trust is broken then you'll need to rejoin the pc to domain.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, January 19, 2017 5:08 PM
  • I dont speak about user password cache but computer password and the number of days that a computer can stay disconnected from its domain without having to recreate the trust relationship between the computer account and the domain controllers.

    Indefinite

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Miguel Fra Thursday, January 19, 2017 5:22 PM
    Thursday, January 19, 2017 5:09 PM
  • that's not my question :-(
    Thursday, January 19, 2017 5:10 PM
  • that's not my question :-(

    If the trust is broken then the only option to logon to pc is to use a local account.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, January 19, 2017 5:12 PM
  • I dont speak about user password cache but computer password and the number of days that a computer can stay disconnected from its domain without having to recreate the trust relationship between the computer account and the domain controllers.

    This question was answered and you asked for more information, specifically related to passwords. Cached logins are an important part of this equation because if the cached logins fail for the user, you will need to resort to another question that was also answered, having a local admin account.


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     

    Thursday, January 19, 2017 5:20 PM
  • I have had a client on but not connected to my domain for over a year. When connected to the domain I logged on with no problem. The computer got a new password and the secure channel was fine.

    I saw the article you linked some time ago, and others, stating that a client will change it's own password every 30 days if not connected to the domain, and keep the current and next most recent passwords. The implication is that after 60 days the password will be too old and the computer cannot connect. The solution implied is to remove from the domain and rejoin.

    In my opinion, the article is poorly worded. I was never able to duplicate the problem. I even tested with another client (Windows 10) off the domain (but on) for 80 days.

    At the very least, I would think you could restore the secure channel without the need to rejoin the domain. Plus it makes no sense to me that the client would change it's own password when it cannot contact a DC.

    I asked about this in this forum a few weeks ago and got no good response. I conclude the blog post, and similar articles, are wrong.

    Edit: The thread I started on this issue:

    https://social.technet.microsoft.com/Forums/en-US/bb14e5ab-57d0-49a9-b95e-ab783232351c/machine-account-password-change-confusion?forum=winserverDS


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, January 19, 2017 6:11 PM
  • Hi Richard,

    thank you, that's exactly my point ! 

    I read your thread and your interrogation is exactly mine.

    I understand that you tested it and there is no limitation of 60 days. So, that's fine ! (I actually try to understand why more and more computers on a country network have their secure channel broken).

    If the computer password is locally modified every 30 days and the AD is storing only 2 occurences, do you have any idea on how it's possible for the computer to reset its secure channel after 60 days ? (I understand it's done but how ? :))

    Thank you

    Friday, January 20, 2017 9:50 AM
  • Until I find better information, my conclusion remains that any client can remain offline, whether turned on or not, indefinitely with no adverse consequence. I cannot believe that the client would change it's own password when it cannot contact a DC. I realize others say that they must rejoin computers to the domain when they have been off the domain for extended periods, but this has not been my experience. I think something else causes this.

    Even if the password on the client (and the previous password on the client) does not match the password in AD, there should be no need to rejoin the domain, or even reestablish the secure channel. I believe something else breaks the secure channel. Note the 2 passwords are said to be saved on the local client. There is one machine password in AD, plus the normal password history. And AD password history can be configured to save many more passwords than 2. However, since Windows Server 2003 AD a bad password has not incremented the badPasswordCount if it matches the previous password in password history. This prevents lockout. But AD never allows authentication with anything other than the current password. If the client tries first with the current password, and if that fails tries again with the previous password, that is one thing. But even here I believe people are confusing the normal AD password history behavior with what happens on the local computer. I begin to think there is no such thing as a previous password saved on the machine. There should be no need for it.

    The following article talks about cases where the password on the local client does not match the password in AD, and gives a script (which has been used for years) to reset the local machine password:

    https://technet.microsoft.com/en-us/library/ee198778.aspx

    But I also believe this article is incorrect, or at least incomplete, when it states:

    ===== quote =====

    Or, a computer might be offline for an extended period of time. During that time, the Active Directory password might have been changed; with the computer offline, however, the local password could not have been changed accordingly.

    ===== end of quote =====

    If some person were to reset the AD computer password, then yes, the passwords would not match. But AD will not reset the computer password unless the computer requests. I have checked the pwdLastSet attribute of a client offline for 80+ days and it remained unchanged.

    Regarding your specific question, I don't believe the computer can reset the secure channel. Instead, the claim in the blog post is that the machine tries first with the current password, the password the machine set without contacting a DC. Then if that fails it tries again with the previous password it has saved. After 60 days offline the computer sets a new password for itself, so the current and previous passwords are both wrong, and it cannot authenticate. I believe all of this is wrong. If not, there should be documentation that is not so confusing and conflicting.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Isabelle94000 Friday, January 27, 2017 2:44 PM
    Friday, January 20, 2017 3:55 PM