Por quanto tempo um cliente pode ser desligado no AD?

12

Estamos montando um ambiente de treinamento para ser usado depois das férias de verão. A gerência quer que criemos clientes agora antes das férias. Como os clientes devem ser enviados, eles estarão off-line até o início do treinamento. Isso significa que os clientes ficarão sem contato com o AD por aproximadamente 15 semanas. Além disso, como ninguém estará aqui, os servidores serão desligados por cerca de seis a oito semanas. A vida útil da marca de exclusão é configurada para 180 dias.

Este período de 15 semanas pode gerar algum problema para os clientes? Devemos tentar persuadir a administração a adiar a instalação do cliente até depois das férias?

    
por Sandokan 22.05.2013 / 15:03

1 resposta

19

Tudo bem.

Aqui está uma pequena sinopse de Sean Ivey da Microsoft; um cara muito esperto:

Ok, as long as we're talking about domain members, and not domain controllers then for all practical purposes they could be turned off indefinitely with no problem. When you finally turn them back on, the netlogon scavenger will run, contact a domain controller, and reset the password for the computer account.

The important thing to remember is that a computer account password reset is driven by the CLIENT, not the domain controller. So, as long as the client doesn't try to change it's password, then the password will not be changed.

Take a look at this link when you get a chance. I've pulled out the relevent parts:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx "Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.

So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.

Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.

The relevant Netlogon parameters that come into play and we can think about changing here are:

ScavengeInterval (default 15 minutes), MaximumPasswordAge (default 30 days) DisablePasswordChange (default off). "

I hope this helps!

    
por 22.05.2013 / 15:11