• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 606
  • Last Modified:

LSA password for a Windows 2003 domain controller

Can the LSA password for a DC machine account expire?  If  I shutdown a DC for 3 months and booted it up, would it sync the password then or would it not be able to?  If I restored it with backup from 3 months ago, it would be no good - correct?
0
ENTPF
Asked:
ENTPF
2 Solutions
 
AkhaterCommented:
Computer accounts (DCs or not) change passwords regularly,

If a computer is shut or disconnected from the domain for too long it will lose sync with the domain and not be able to operate normally.

This can be solved by using the netdom command to force reset the machine password once the computer is back online

http://support.microsoft.com/kb/260575
0
 
snusgubbenCommented:
If your domain was build on Windows 2003 w/o any SP the default tombstone lifetime (TSL) is 60 days. If it was build on 2003 SP1/SP2/R2 the TSL is 180 days.

So if one of your DCs is offline for 3 mounth there is a chance it is tombstoned. This means it's useless and have to be cleaned out with a metadata cleanup. Remember that backups also has the same TSL.

To check your TSL: http://technet.microsoft.com/en-us/library/cc784932.aspx

Just to add something about computer accounts. The password change for a computer object is initialized by the computer itself and not by a DC. It is changed every 30 day, so if a computer is offline longer then 30 days the password change will happend when it gets online again. On a DC (if it's the PDC) you might have to reset the password manually with i.e. netdom as stated above.


SG
0
 
a_ro_noCommented:
Agree with the above!

Just for info
Computer accounts do not expire.
0
 
AmericomCommented:
Yeah, the 30 days password for computer account is more like update than expiration. It doesn't expire.
Since you are dealing with a DC. Most likely you will have to reset the password with netdom as mentioned from above expert. If you have a good DC functional, and your other DC has been non functional for 3 months, and our are trying to restore from backup, why not just clean and remove everything regarding this DC from your AD: http://technet.microsoft.com/en-us/library/cc736378.aspx
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now