joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Poll on the understanding of how Machine Account Joins and Machine Account Password Changes work under the covers

by @ 3:31 pm on 9/7/2012. Filed under tech

I am looking into an issue related to the subject, the background functioning of Domain Join (which involves setting the computer account password in the domain) and also Computer Account Password Changes in general.

My understanding, which appears to possibly be flawed now based on some lab testing is that computer account password changes are treated like normal userid password changes and hence will be forwarded to the PDC immediately (assuming no AvoidPDConWAN setting) and once there, if a client hits a DC that doesn’t have the current password, that DC will chain the request to the PDC (again assuming no AvoidPDConWAN setting).

Does anyone know the process to be different and especially have any documentation showing it to be anything other than that? Does anyone have any documentation showing that how I described it is how it is supposed to work? Does anyone know of any varieties in functionality based on OS version?

Now further, has anyone noticed an uptick in machine account issues (i.e. things like secure channel cannot be established or machines claiming they don’t have a machine account) after they deployed Windows Server 2008 R2 Domain Controllers (perhaps Windows Server 2008 – I am just now building out the test forest for that scenario)?

It could be just me, but overall I feel I am hearing about more and more machine account secure channel issues as of the last few years.

Any and all thoughts are welcome, I want to understand the general consensus on how people thinks this work or is supposed to work. Please respond in comments below or via email to joe@joeware.net.

 

   Thanks, joe

Rating 4.00 out of 5

3 Responses to “Poll on the understanding of how Machine Account Joins and Machine Account Password Changes work under the covers”

  1. David Loder says:

    Any of those that I’ve seen are related to the issue I reported specific to RODC coverage in disjoint namespaces whose solution is available as a hotfix. http://dloder.blogspot.com/2012/02/my-first-hotfix-kb2659158.html and http://support.microsoft.com/?kbid=2659158.

  2. Scotte says:

    We’ve seen a rash of machines losing their domain membership. The account still exists on the DC, often with recent change times, but no joy. It seems to be machines that have been offline all summer. It’s hard to pin it to 2008R2 since we’ve been on that since 9/2010, but have only recently noticed. If I didn’t better, it feels like the machines have been off long enough for their password to expire and the next time they come online, they’re unable to change it.

  3. Hadministratora says:

    We had a spike of these about 3 months ago. I have no clue why it was happening and how/why it stopped.
    Our infrastructure team did not quite believe me when I told them we see machines dropping out of the domain too frequently.

[joeware – never stop exploring… :) is proudly powered by WordPress.]