Windows 2003 AD Domain Controller - Lab

[Zane]

I want to maintain a VPC Guest that is a Windows 2003 AD DC; however, I am
concerned that the security id may expire -

For example, I am keeping a clean image of the VPC for over 2-4 months -
doesn't DC reset it own security realm - just like the workstations do....

Please clarify and how would I prevent this issue from occuring (after 2-4
months)? Thanks.

 

[Herb Martin]

I don't think so but it will need to replicate with any other
DCs before "tombstone lifetime" expires - 60 days by
default.

 

[Zane]

This is a standalone DC, meaning no other DCs to replicate to - my concern
was as a standalone VPC Guest machine and possible security resets.

 

[Zane]

Just to clarify, this VPC is powered down everyday - back to its original
clean state, since it is a DEMO machine.

I want to be able to install other server apps then when done, restore to
its clean state.

But again, the concern is with the security ID or SID or related security
resets (maybe there is no such thing for single DC, but thought of it since
workstations resets themselves in domains).

 

[Herb Martin]

No it's not an issue for a lone DC (to the best of my knowledge.)

 

[ptwilliams]

If it's a lone PC/DC, what's it got to reset? And if you do have a PC to
with the lessons, I assume that's reset as well - no problems there.

And, if they do fall out of sync, the secure channel secret password will
simply be reset and you'll be fine.

--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________


No it's not an issue for a lone DC (to the best of my knowledge.)

 

[Paul Adare - MVP - Microsoft Virtual PC]

And if you do have a PC to
with the lessons, I assume that's reset as well - no problems there.

And, if they do fall out of sync, the secure channel secret password will
simply be reset and you'll be fine.

No, you're wrong here. If you have member servers and/or workstations or
additional domain controllers, you can, and likely will, run into
problems.
In the case of member servers and workstations, as long as you _always_
undo changes on all member server, workstations and domain controllers
after a session, you won't have any issues. If, however, you commit
changes on say a member server, but don't commit changes on a domain
controller (or vice versa), you will have problems. The issue is that
while the member server and the DC were up and running, if the member
server changes its secure channel password, and you then commit the
changes on the member server, but do not do so on the DC, the next time
you boot them both, the member server and the DC will have different
machine account passwords and you'll either have to reset the secure
channel using netdom, or you'll need to remove the member server from
the domain and then rejoin it.
The issue for DCs is a little different. If you commit changes for one
DC and not for the rest, you may run into a situation where the
tombstone lifetime is exceeded. In this case, replication between the
problematic DCs will cease.
To avoid the member server/workstation issue completely, search the KB
for RefusePasswordChange and DisablePasswordChange.

 

[ptwilliams]

Paul, I see your point and respect your Wisdom (VPC MVP) and agree with most
of your points, however, I don't believe that the Secure Channel password
issue is such an issue. In my experience, most of the time the account is
reset in the normal course of things (and an error logged on the logon DC).

I run a rather large domain in VMWare, and until I update VMWare (because of
the memory limitations) I cannot have all servers online at once. I often
update and change things, and then knock off for days at a time, and I don't
have any problems. I see the secure channel auto reset loads in work -with
our remote workers (the slackers obviously don't logon for months at a time
<g>).



--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________


message In article <[email protected]>, in the

And if you do have a PC to
with the lessons, I assume that's reset as well - no problems there.

And, if they do fall out of sync, the secure channel secret password will
simply be reset and you'll be fine.

No, you're wrong here. If you have member servers and/or workstations or
additional domain controllers, you can, and likely will, run into
problems.
In the case of member servers and workstations, as long as you _always_
undo changes on all member server, workstations and domain controllers
after a session, you won't have any issues. If, however, you commit
changes on say a member server, but don't commit changes on a domain
controller (or vice versa), you will have problems. The issue is that
while the member server and the DC were up and running, if the member
server changes its secure channel password, and you then commit the
changes on the member server, but do not do so on the DC, the next time
you boot them both, the member server and the DC will have different
machine account passwords and you'll either have to reset the secure
channel using netdom, or you'll need to remove the member server from
the domain and then rejoin it.
The issue for DCs is a little different. If you commit changes for one
DC and not for the rest, you may run into a situation where the
tombstone lifetime is exceeded. In this case, replication between the
problematic DCs will cease.
To avoid the member server/workstation issue completely, search the KB
for RefusePasswordChange and DisablePasswordChange.

 

[Paul Adare - MVP - Microsoft Virtual PC]

Paul, I see your point and respect your Wisdom (VPC MVP) and agree with most
of your points, however, I don't believe that the Secure Channel password
issue is such an issue. In my experience, most of the time the account is
reset in the normal course of things (and an error logged on the logon DC).

I run a rather large domain in VMWare, and until I update VMWare (because of
the memory limitations) I cannot have all servers online at once. I often
update and change things, and then knock off for days at a time, and I don't
have any problems. I see the secure channel auto reset loads in work -with
our remote workers (the slackers obviously don't logon for months at a time
<g>).

You've completely missed my point and you're comparing apples to oranges
here. If you have a member server and a DC up at the same time, and the
secure channel password changes, and you then undo the changes to one of
the systems and commit the changes to the other, you have a mismatch of
the secure channel password.
The case you're referring to is different in that you're talking about a
member server that is not on-line for a length of time. In that case,
since the member server is not powered on, it can't change its secure
channel password. If you leave it off-line long enough for the secure
channel password to expire, it will use the old secure channel password
to authenticate against a DC, at which time it will change the secure
channel password.
Two totally different concepts.

 

[ptwilliams]

Ha ha.

Yes, I did miss the point!

Well, thanks for clearing that up for both me and Zane, the original
poster...



--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________


message In article <[email protected]>, in the

Paul, I see your point and respect your Wisdom (VPC MVP) and agree with most
of your points, however, I don't believe that the Secure Channel password
issue is such an issue. In my experience, most of the time the account is
reset in the normal course of things (and an error logged on the logon DC).

I run a rather large domain in VMWare, and until I update VMWare (because of
the memory limitations) I cannot have all servers online at once. I often
update and change things, and then knock off for days at a time, and I don't
have any problems. I see the secure channel auto reset loads in work -with
our remote workers (the slackers obviously don't logon for months at a time
<g>).

You've completely missed my point and you're comparing apples to oranges
here. If you have a member server and a DC up at the same time, and the
secure channel password changes, and you then undo the changes to one of
the systems and commit the changes to the other, you have a mismatch of
the secure channel password.
The case you're referring to is different in that you're talking about a
member server that is not on-line for a length of time. In that case,
since the member server is not powered on, it can't change its secure
channel password. If you leave it off-line long enough for the secure
channel password to expire, it will use the old secure channel password
to authenticate against a DC, at which time it will change the secure
channel password.
Two totally different concepts.

 

[Ulf B. Simon-Weidner [MVP]]

This is a standalone DC, meaning no other DCs to replicate to - my
concern
was as a standalone VPC Guest machine and possible security resets.

Hello Zane,

one thing to clarify:
If you have a standalone machine in the VPC you do not need to be
concerned about any secure channel passwords - this is just the case if
you have it as part of any other domain (even as partner of a
trust-relationship). In this context a standalone machine is also a DC
which holds it's own domain and has no other domain-members, DCs or
Trusts.

 

[mopey]

ha - thx guys - so in short...in a single DC / machine demo environment I
have, it doe NOT matter because there is nothing to sync to (replication
wise or secure channel wise - servers or workstations).

 

[Herb Martin]

ha - thx guys - so in short...in a single DC / machine demo environment I
have, it doe NOT matter because there is nothing to sync to (replication
wise or secure channel wise - servers or workstations).

Yes, that is correct.