locked
How long can a domain member be switched off for? RRS feed

  • Question

  • Hi,

    How long can a domain member be switched off for - before it will start causing issues on domain member reboot?

    We are planning to move an organization to a different geographical location. So we are planning to deploy the new DCs in the new Site and ship the member servers across (physically ship the machines).

    Whats the longest time these machines can be in this 'offline' state?

    The AD is still Windows Server 2003.

    Thank you

    Thursday, March 24, 2011 9:10 AM

Answers

  • Ok, as long as we're talking about domain members, and not domain controllers then for all practical purposes they could be turned off indefinitely with no problem.  When you finally turn them back on, the netlogon scavenger will run, contact a domain controller, and reset the password for the computer account.

    The important thing to remember is that a computer account password reset is driven by the CLIENT, not the domain controller.  So, as long as the client doesn't try to change it's password, then the password will not be changed. 

    Take a look at this link when you get a chance.  I've pulled out the relevent parts:

    http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
    "Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.

    So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.

    Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.

    The relevant Netlogon parameters that come into play and we can think about changing here are:

    ScavengeInterval (default 15 minutes),
    MaximumPasswordAge (default 30 days)
    DisablePasswordChange (default off). "

    I hope this helps!

    Thursday, March 24, 2011 1:55 PM

All replies

  • As long as any other system is not joined to domain with similar name or IP, because of the password of the system which is maintained into the DC for secure communication, if there is other system with same name joined it will cause conflict & system will have secure channel broken & it will not allow you to login or access domain resources.

    If you got interest in digging more about secure channel, take a look at one of the best video on AD Virtualization.

    http://awinish.wordpress.com/2011/02/16/impact-of-cloning-and-virtualization-on-active-directory-domain-services/

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Awinish Friday, March 25, 2011 4:35 AM
    Thursday, March 24, 2011 9:14 AM
  • so what timeframes are we talking about here? how frequently is this secure channel password reset? What happens if a domain member is shut down for a month, will it on reboot be happily allowed to log into the domain?
    Thursday, March 24, 2011 9:32 AM
  • Hello,

    DCs are belonging to the tombstone lifetime. For longtime disconnection and shipping please see:

    http://technet.microsoft.com/en-us/library/cc782557(WS.10).aspx

    http://support.microsoft.com/kb/248047/en-us

    http://technet.microsoft.com/en-us/library/cc816924(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc794960(WS.10).aspx

    All other domain members are not that critical.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, March 24, 2011 11:33 AM
  • The time frame for secure channel is 30 days but if a member server is shutdown for 200 days & you connect it after 200 days,it will contact communicate to DC & refresh its password, but if in between 200 days, if there is any other server or system configured with same hostname or IP, it will not work if the same machine is re-added to domain & you have to disjoin & rejoin.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/

    The above is applied for member servers or domain client machines only not for DC, as DC deals with tombstone lifetime periods which can be 60,180 or configured according to your domain.

    I gave you the link which explains everything, if you got time, you got to watch it.

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Boudewijn Plomp Wednesday, September 18, 2013 12:10 PM
    Thursday, March 24, 2011 12:49 PM
  • Ok, as long as we're talking about domain members, and not domain controllers then for all practical purposes they could be turned off indefinitely with no problem.  When you finally turn them back on, the netlogon scavenger will run, contact a domain controller, and reset the password for the computer account.

    The important thing to remember is that a computer account password reset is driven by the CLIENT, not the domain controller.  So, as long as the client doesn't try to change it's password, then the password will not be changed. 

    Take a look at this link when you get a chance.  I've pulled out the relevent parts:

    http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
    "Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.

    So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.

    Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.

    The relevant Netlogon parameters that come into play and we can think about changing here are:

    ScavengeInterval (default 15 minutes),
    MaximumPasswordAge (default 30 days)
    DisablePasswordChange (default off). "

    I hope this helps!

    Thursday, March 24, 2011 1:55 PM
  • this is great feedback, thank you everyone !
    Thursday, March 24, 2011 3:41 PM