Re: Copying machine account password

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 02/18/05 

Date: Fri, 18 Feb 2005 07:53:04 -0500

I'm having trouble seeing the value in having the machine account identical,
because I would think there must be better seemless fault tolerance
solutions. I have never heard of a failover scenario that requires this.
If you need immediate "seemless" failover or high availability with almost
zero tolerance for downtime, you normally use clustering, or some third
party solution, or authenticate against Windows domain accounts that are
stored on multiple domain controllers, or authenticate against users in the
machine's local account database where machine password is irrelevant to
authentication.. If you don't need that, you go with Microsoft's standard
recommendations for making a backup server. Or, just accept that in the
rare event of a failure that your redundant hardware does not prevent, you
might have a few hours of downtime.

Since the actual password is not stored anywhere, just a one-way hash that
is not supposed to be reversible, the only way I know of to get it is to use
l0phtcrack or something similar to obtain the account password hash or hash
database and brute force it. If the password had changed and this was
preventing you from doing a restore, this takes way longer than it would to
re-create the machine account in the domain.

"Konda Ankireddyapalli" <kondapadmaja@sbcglobal.net> wrote in message
news:KWLQd.534$Pz7.291@newssvr13.news.prodigy.com...
> Hello all,
>
> We have a 'failover' scenario from a windows 2003 server to another
windows
> 2003 server during which we need to copy the machine account password(long
> term secret) from old server to the new server, to enable seemless
kerberos
> authentication of our services. Is there a way to get this? If not is
there
> a way to set it to particular value? Tools like netdom just resets it to
> some random(?) string but not to user-supplied value.
>
>
> Thanks in advance,
> Konda
>
>

Relevant Pages

  • Re: Copying machine account password
    ... I'm having trouble seeing the value in having the machine account identical, ... If you need immediate "seemless" failover or high availability with almost ... or authenticate against users in the ... recommendations for making a backup server. ...
    (microsoft.public.windows.server.security)
  • Re: Copying machine account password
    ... I'm having trouble seeing the value in having the machine account identical, ... If you need immediate "seemless" failover or high availability with almost ... or authenticate against users in the ... recommendations for making a backup server. ...
    (microsoft.public.security)
  • ntlm_auth question
    ... I want to authenticate a machine account against an AD server using ntlm_auth. ... Norbert Wegener ...
    (comp.protocols.smb)
  • Re: Windows XP Computer Object Password Change Process with AD
    ... Each Windows-based computer maintains a machine account password history ... It will change the password as soon as it try to authenticate against AD, ... Netlogon attempts to set up a secure channel ... reset the computer's account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cached credentials and password expiration
    ... I believe that when the machine account is hosed ... > access to a domain controller during the logon process. ... > are connected to the VPN on a very regular basis, ... Doesn't it authenticate the user through AD? ...
    (microsoft.public.windows.server.active_directory)
Loading