Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain Offline for Extended Period

Posted on 2016-07-18
4
Medium Priority
?
34 Views
Last Modified: 2016-09-28
Good day experts....

I have a Windows 2012r2 domain operating at the 2012r2 functional level.  This domain was shutdown in place about 7 months ago and has not been powered on since.  All domain controllers are virtual and ESXi is the virtualization platform.  Passwords are set to expire after 90 days.  I am looking to start this domain backup up and am asking for thoughts on the best way to startup and get back into this domain.

Some initial thoughts I have:
  1. Startup up ESXi servers and set the clock back 7 months
  2. Disconnect the time source
  3. Startup one of the domain controllers login and reset password (time should not update)
  4. Login and reset password
  5. Reconnect the time source
  6. Change time to present
  7. Change password again
  8. Startup 2nd domain controller

--or--
  1. Startup ESXi leaving time as it
  2. Startup 1st domain controller
  3. From the console login using password that will be expired and update
  4. Bring 2nd domain controller online
  5. Ensure clocks are current

I know this is a "corner case" and most of the answers will be speculative as to the results.  I am looking for ideas and thoughts and any will be appreciated.

As for why this has been shutdown for so long, this is a disconnected development environment that a contract ended for and now another contract has been awarded.  As for why everything is virtual, that was the best solution for the available resources.  I would like to stay away from the "you should have done it that way" discussions.

Thanks in advance for your help!
0
Comment
Question by:jchauncey60
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41717638
You can just bring up whichever VM is hosting the PDC emulator and log in with the old password if you have it. Password Expiration doesn't prevent you from logging in when you log in through the Windows GUI. It just prompts you to reset the password. It will prevent you from logging in to applications that don't support integration with AD Password expiry (OWA, SharePoint, etc), but if you just log into the DC it should prompt you to reset your password. The systems connected to the domain should be able to connect to the domain despite the time lag because AD hasn't had a chance to reset system passwords for the past 7 months. It will do so on first boot, but the existing systems should still be able to communicate with the domain because they will have the most recent SCHANNEL password, which is acceptable for authentication at least 1 time after the DC changes it.

TL;DR - You shouldn't have to do anything special. Just spin up the VMs and log in with the old password (If you don't *have* the password, that's another matter altogether).
1
 

Author Comment

by:jchauncey60
ID: 41717789
Thanks for the quick response.  I am going to leave this open to see if there are any additional comments before accepting.
0
 

Author Comment

by:jchauncey60
ID: 41720902
Thanks again.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question