Solved

Domain Offline for Extended Period

Posted on 2016-07-18
4
28 Views
Last Modified: 2016-09-28
Good day experts....

I have a Windows 2012r2 domain operating at the 2012r2 functional level.  This domain was shutdown in place about 7 months ago and has not been powered on since.  All domain controllers are virtual and ESXi is the virtualization platform.  Passwords are set to expire after 90 days.  I am looking to start this domain backup up and am asking for thoughts on the best way to startup and get back into this domain.

Some initial thoughts I have:
  1. Startup up ESXi servers and set the clock back 7 months
  2. Disconnect the time source
  3. Startup one of the domain controllers login and reset password (time should not update)
  4. Login and reset password
  5. Reconnect the time source
  6. Change time to present
  7. Change password again
  8. Startup 2nd domain controller

--or--
  1. Startup ESXi leaving time as it
  2. Startup 1st domain controller
  3. From the console login using password that will be expired and update
  4. Bring 2nd domain controller online
  5. Ensure clocks are current

I know this is a "corner case" and most of the answers will be speculative as to the results.  I am looking for ideas and thoughts and any will be appreciated.

As for why this has been shutdown for so long, this is a disconnected development environment that a contract ended for and now another contract has been awarded.  As for why everything is virtual, that was the best solution for the available resources.  I would like to stay away from the "you should have done it that way" discussions.

Thanks in advance for your help!
0
Comment
Question by:jchauncey60
  • 2
4 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41717638
You can just bring up whichever VM is hosting the PDC emulator and log in with the old password if you have it. Password Expiration doesn't prevent you from logging in when you log in through the Windows GUI. It just prompts you to reset the password. It will prevent you from logging in to applications that don't support integration with AD Password expiry (OWA, SharePoint, etc), but if you just log into the DC it should prompt you to reset your password. The systems connected to the domain should be able to connect to the domain despite the time lag because AD hasn't had a chance to reset system passwords for the past 7 months. It will do so on first boot, but the existing systems should still be able to communicate with the domain because they will have the most recent SCHANNEL password, which is acceptable for authentication at least 1 time after the DC changes it.

TL;DR - You shouldn't have to do anything special. Just spin up the VMs and log in with the old password (If you don't *have* the password, that's another matter altogether).
1
 

Author Comment

by:jchauncey60
ID: 41717789
Thanks for the quick response.  I am going to leave this open to see if there are any additional comments before accepting.
0
 

Author Comment

by:jchauncey60
ID: 41720902
Thanks again.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question