<lecture mode on> When a Windows computer joins a domain, it establishes a secure channel with the directory service (be it the NT directory or Active Directory). This secure channel is used to pass information, using a specific cryptographic method, between the Windows computer and a domain controller (or between domain controllers in different domains). In Windows NT, the cryptographic method was based on NTLM. In Windows 2000 and above, it is based on Kerberos.
By default, and behind the scenes, Windows automatically changes the password it uses to establish this secure channel every 7 - 30 days (another value that has changed over the years). Within that lifetime times 2, a machine is allowed to automatically resync to a new password. Outside of that, the secure channel must be reset. The standard way of resetting a secure channel is to remove the Windows computer from the domain and then rejoin it. However, there are two tools that can do it as well. They are nltest.exe and netdom.exe. </lecture mode off> http://support.microsoft.com/default.aspx/kb/260575/EN-US/ for netdom and http://support.microsoft.com/kb/181171 for nltest. Regards, Michael B. Smith MCITP:SA,EMA/MCSE/Exchange MVP http://TheEssentialExchange.com From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2008 4:40 PM To: NT System Admin Issues Subject: RE: Domain Offline More than 2 Months Thanks Michael, Can you elaborate a bit more on that? From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2008 1:33 PM To: NT System Admin Issues Subject: RE: Domain Offline More than 2 Months Seems to me that if you have a single DC that holds all the FSMO roles, that one should still be able to log in. Then you could reset the secure channels for each computer using nltest or netdom. Regards, Michael B. Smith MCITP:SA,EMA/MCSE/Exchange MVP http://TheEssentialExchange.com From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2008 4:28 PM To: NT System Admin Issues Subject: Domain Offline More than 2 Months So we talked about this a while back and today I got a call from someone who has a lab network that has been off at least two months (I swear it's not me!). As you can imagine nothing works now. Before I tell him he is SOL, is there any magic bullet for this? From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2008 3:45 PM To: NT System Admin Issues Subject: RE: DC Offline The default tombstone lifetime is 60 days. Unless you changed it (not advisable) it is either that, or higher (don't ask - there was a bug that made it 180 for awhile). Regards, Michael B. Smith MCITP:SA,EMA/MCSE/Exchange MVP http://TheEssentialExchange.com From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2008 6:37 PM To: NT System Admin Issues Subject: DC Offline I know we have discussed this before, but I probably didn't pay attention and now I need to know. How long can a DC remain offline before it goes sour? I have a need to build a small network then ship it off somewhere. It may end up staying in the crate for a few days as well, so let's say it could be off for a week. It would be a standalone domain and this would be the only DC for it. Its demo stuff.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
