LSA password for a Windows 2003 domain controller

Posted on 2009-04-15
Last Modified: 2012-05-06
Can the LSA password for a DC machine account expire?  If  I shutdown a DC for 3 months and booted it up, would it sync the password then or would it not be able to?  If I restored it with backup from 3 months ago, it would be no good - correct?
Question by:ENTPF
    LVL 49

    Accepted Solution

    Computer accounts (DCs or not) change passwords regularly,

    If a computer is shut or disconnected from the domain for too long it will lose sync with the domain and not be able to operate normally.

    This can be solved by using the netdom command to force reset the machine password once the computer is back online
    LVL 21

    Assisted Solution

    If your domain was build on Windows 2003 w/o any SP the default tombstone lifetime (TSL) is 60 days. If it was build on 2003 SP1/SP2/R2 the TSL is 180 days.

    So if one of your DCs is offline for 3 mounth there is a chance it is tombstoned. This means it's useless and have to be cleaned out with a metadata cleanup. Remember that backups also has the same TSL.

    To check your TSL:

    Just to add something about computer accounts. The password change for a computer object is initialized by the computer itself and not by a DC. It is changed every 30 day, so if a computer is offline longer then 30 days the password change will happend when it gets online again. On a DC (if it's the PDC) you might have to reset the password manually with i.e. netdom as stated above.

    LVL 3

    Expert Comment

    Agree with the above!

    Just for info
    Computer accounts do not expire.
    LVL 18

    Expert Comment

    Yeah, the 30 days password for computer account is more like update than expiration. It doesn't expire.
    Since you are dealing with a DC. Most likely you will have to reset the password with netdom as mentioned from above expert. If you have a good DC functional, and your other DC has been non functional for 3 months, and our are trying to restore from backup, why not just clean and remove everything regarding this DC from your AD:

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now