Windows Server

Konda Ankireddyapalli · Guest

Hello all,

We have a 'failover' scenario from a windows 2003 server to another windows
2003 server during which we need to copy the machine account password(long
term secret) from old server to the new server, to enable seemless kerberos
authentication of our services. Is there a way to get this? If not is there
a way to set it to particular value? Tools like netdom just resets it to
some random(?) string but not to user-supplied value.

Thanks in advance,
Konda

Karl Levinson, mvp · Guest

I'm having trouble seeing the value in having the machine account identical,
because I would think there must be better seemless fault tolerance
solutions. I have never heard of a failover scenario that requires this.
If you need immediate "seemless" failover or high availability with almost
zero tolerance for downtime, you normally use clustering, or some third
party solution, or authenticate against Windows domain accounts that are
stored on multiple domain controllers, or authenticate against users in the
machine's local account database where machine password is irrelevant to
authentication.. If you don't need that, you go with Microsoft's standard
recommendations for making a backup server. Or, just accept that in the
rare event of a failure that your redundant hardware does not prevent, you
might have a few hours of downtime.

Since the actual password is not stored anywhere, just a one-way hash that
is not supposed to be reversible, the only way I know of to get it is to use
l0phtcrack or something similar to obtain the account password hash or hash
database and brute force it. If the password had changed and this was
preventing you from doing a restore, this takes way longer than it would to
re-create the machine account in the domain.

"Konda Ankireddyapalli" <kondapadmaja@sbcglobal.net> wrote in message
news:KWLQd.534$Pz7.291@newssvr13.news.prodigy.com...

	Windows Server Forum Index -> Security	All times are GMT
Page 1 of 1