- Computers that have not logged in to the domain for a long time are automatically out of the domain, so is it true that computers that do not log in for more than 30 days will be out of domain?
- My environment found several computers due to leave or travel for a long time (two or three months) not logged into the domain, this part of the computer was I durable 30 days ago, today I enabled these computers, I found that they can still log in after the domain. The network between the computer and the domain control is normal. How do you explain this? (Domain functional level Windows Server R2)
Answer: From your description, my understanding of this problem is that you want to know if the computer is not logged in for more than 30 days and will definitely take off the domain.
By default, the domain computer will change the computer password every 30 days, and the password will be present on both the local computer and the ad. At the same time, the computer itself will save two passwords locally: the current password and the previous password. When the computer tries to establish secure channel with the DC, it will first use the latest password, if the password is not valid, then it will try to use the previous password, if the password is not able to match the password stored in the ad domain, then the secure between the computer and the DC The channel will be destroyed and we will not be able to log on to this computer via a domain account. Because we don't know when the computer password was changed, in general, the time range that the computer cannot log on to the domain is 31-60 days. You see the article from Active Directory SEO http://adirectory.blog.com/category/active-directory/
There are two different situations:
- Shutdown computer, it will not change the computer password until it start up.
- If the computer that is added to the domain is running and is not connected to the corporate network, it will still change the password every 30 days.
The time of the computer's de-domain is not random, it is determined by the time the computer is able to contact the DC for the last password change. For example: For example, there are 10 days the computer needs to change the password, from this time on, it will no longer be in the domain environment, then, he can not log on to the domain time is 40 days later.
Specifically: For example, its last password in the domain is: password1 (remaining validity: 10 days), 10 days after he needs to change the password, changed to Password2 (valid for 30 days). At this time the password saved on the computer is: Password1 and Password2, the password saved on the DC side is password1. On the 35th day, if the computer is connected to the corporate network, it will first try to use PASSWORD2 to establish a secure channel with the DC, because the DC does not have this new password, the computer tries again and Password1, because the DC save has this password, password matching, then the secure channel successfully established, The computer can log on to the domain.
However, if it is on the 45th day, this time the computer has changed the password for the second time, assuming: Password3. Then the password saved on the computer is: Password2 and Password3, the password saved on the DC side is still password1. When the computer is connected to the company network, he will try to use PASSWORD3 and password2 to establish a secure channel with DC, because the password stored on the DC is password1, they can not match, the security channel is not established, the computer will not be able to log into the domain environment.
However, since we cannot tell if the calculation is the exact time to change the password, in a way, you can assume that the computer is not able to log on to the domain for a period of 31-60 days is random.
from:http://adirectory.blog.com/2015/02/computer-disconnects-from-domain/
Computer Off-Domain