Neverfail Heartbeat and Machine Account Passwords

Follow

Summary

This Knowledgebase article provides information about how Machine Account Password changes are handled on a pair of servers protected by Neverfail Heartbeat.


More Information

Background

When a computer is joined to a domain, a Machine Account is created for it in Active Directory and Windows generates a password for this account. When the computer is started, Netlogon uses the Machine Account Password to establish a secure channel between the server and the domain which allows services running on the server to access domain resources.
The Machine Account Password is shared by the computer and the domain controller and, for security reasons, the password is changed periodically (by default, every 30 days). The Machine Account Password change is initiated by the domain member and not the domain controller. Each server keeps a local copy of the Machine Account Passwords (the current and the previous) in
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\$MACHINE.ACC
If desired, the automatic Machine Account Password changes can be disabled by setting the following registry key to true (1):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange

When Neverfail Heartbeat is installed on a group of servers that are configured to change the Machine Account Password regularly, it interferes with the process. This is because each server needs to be able to contact a domain controller in its domain to be able to change the password and, in a Neverfail group, the passive server(s) won't be able to do so. When Neverfail is installed, only the active server will be able to change the password.

Behavior with Neverfail Heartbeat versions v6.5.1 and earlier

If Neverfail Heartbeat version 6.5.1 or earlier is installed and one of the servers remains in the active role long enough to change the Machine Account Password, the other server(s) will no longer be able to authenticate in the domain should they become active (after a switchover or failover) because they don't have the new password.  The trust relationship between those machines and the domain must be restored (the safest way is to perform a backup of the System State from the server that is still trusted in the domain (while active) and restore it to the servers no longer trusted.

Workaround: Disable Machine Account Password changes using the following procedure:

  1. Launch Regedit.exe
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
  3. Change the value of the registry key to true (1).

Behavior with Neverfail Heartbeat versions 6.5.2 and later

Starting with Neverfail Heartbeat version 6.5.2, depending on the license, features, and configuration (as listed below), the Machine Account Password can be replicated from the active server to the passive serve(s). When replicated, Machine Account Password changes can be enabled and the passive servers will not lose their trust relationship with the domain even if the active server changes the machine account password.

Machine Account Password Replication Scenarios

Server setup Details Machine Account Password Replicated
Common License Full Neverfail Heartbeat license;
Servers have the same name in domain;
Yes
Replicator Neverfail Replicator license;
Servers have the same name in domain;
No
Cluster Protector Full Neverfail Heartbeat license;
Servers have the same name in domain;
The license contains the extensions for Neverfail ClusterProtector.
No
Servers have different names Full Neverfail Heartbeat license;
Servers have different names in domain;
No
Servers not in a domain Full Neverfail Heartbeat license;
Servers have the same name  but are not members of a domain;
No
Only one server in the domain Full Neverfail Heartbeat license;
Servers have the same name  but only Primary is in the domain; Secondary is not;
No
Servers have the same name  but different capitalization Full Neverfail Heartbeat license;
Servers have the same name  but different capitalization;
Yes

Unsupported cases

Neverfail Heartbeat v6.5.2 and later will replicate the machine account, but this will always be pushed from the active to the passive server(s). If the passive server(s) is/are allowed to reach a Domain Controller and initiate a Machine Account Password, the new password is not replicated back to the active server. If the active server needs to re-establish its secure channel (for example if it is restarted) the server’s password will not be recognized and its trust relationship to the domain will be lost. This behavior can occur if the server has a management IP in the same subnet as the Public IP (against the recommendations from KB 208 ) or a static route that allows it to reach a Domain Controller.

Applies to

All Versions


Related Information

Knowledgebase article #1705 - How to Configure the 'Disable Machine Account Password Changes' GPO on Servers Running Neverfail Heartbeat
Knowledgebase article #1491 - How to Re-establish the Trusted Relationship with the Domain

Microsoft Knowledgebase articles:
http://support.microsoft.com/kb/162797
http://support.microsoft.com/kb/154501
http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

KBID-2630

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.