12

We are setting up a training environment to be used after summer holiday. Management wants us to set up clients now before the vacation. Since the clients are to be shipped away, they will be off line until the training starts. That means that the clients will be out of touch with the AD for roughly 15 weeks. Also, since nobody will be here, the servers will be shutdown for about six to eight weeks. The tombstone lifetime is set to 180 days.

Can this 15 week period generate any problems for the clients? Should we try to persuade management to postpone client installation until after the vacation?

Sandokan
  • 514
  • 1
  • 6
  • 17
  • 1
    How long does it take you to setup? Are you concerned about patches/updates/av updates/etc. during that window? – TheCleaner May 22 '13 at 13:10
  • Patches and such are not a concern. Since it's just a training system, all we really care about is that clients don't go into some kind of tombstone mode. – Sandokan May 22 '13 at 13:11
  • 1
    I agree with Ryan below, but If the "build" doesn't require GPOs, etc. to get them to the state they need for training you could also build them up and then wait to add them to the domain until after the summer vacation when you boot them back up. – TheCleaner May 22 '13 at 13:15

1 Answers1

21

It'll be fine.

Here's a little blurb from Sean Ivey from Microsoft; a pretty smart guy:

Ok, as long as we're talking about domain members, and not domain controllers then for all practical purposes they could be turned off indefinitely with no problem. When you finally turn them back on, the netlogon scavenger will run, contact a domain controller, and reset the password for the computer account.

The important thing to remember is that a computer account password reset is driven by the CLIENT, not the domain controller. So, as long as the client doesn't try to change it's password, then the password will not be changed.

Take a look at this link when you get a chance. I've pulled out the relevent parts:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx "Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.

So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.

Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.

The relevant Netlogon parameters that come into play and we can think about changing here are:

ScavengeInterval (default 15 minutes), MaximumPasswordAge (default 30 days) DisablePasswordChange (default off). "

I hope this helps!

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Which means that clients and not only servers fall under the tombstone concept? – Sandokan May 22 '13 at 13:13
  • 4
    No, really, all you need to worry about are the domain controllers. Domain members can be powered off indefinitely and still be brought back. – Ryan Ries May 22 '13 at 13:27
  • 4
    @Sandokan Not for active machine accounts. Tombstones are there to flag *deleted* accounts for the sake of replication (so the delete operation can be replicated among DCs). The trouble which occurs after a *DC* has been switched off longer than TombstoneLifeTime is that it might not process all the deletions which have occured since it has been switched off (as the older ones might be pruned), so directory replicas might become out-of-sync. This is nothing you need to worry about with clients or in a case where you mothball the entire domain for a prolonged period of time. – the-wabbit May 22 '13 at 13:51