Summary
In some cases, workstations running Deep Freeze may lose connection to the domain and be unable to logon until re-joined to the domain.
Background
When computers are configured to use Active Directory a computer account and password are created in the Active Directory database that allows that workstation to communicate securely with the domain. This computer account will by default have its password updated on a periodic basis depending on how the users have configured the domain. In the case of a computer running Deep Freeze changes to this password cannot be retained on the local machine and after a reboot, the computer may not be able to authenticate against the domain. This will commonly show up as an error that the Trust Relationship between the domain controller and the workstation has failed.
Solutions
There are two approaches to this issue,
Allow Deep Freeze to manage password changes.
Deep Freeze 7.6 and higher have provisions to manage the changes to the secure channel passwords on the workstations. The software will suppress the password changes on the workstation side until the workstation enters a thawed state, once the computer is thawed the password will be changed and cached on the local workstation.
This feature will require that workstations be thawed on a periodic basis to ensure that the changes can be retained across future reboots. This can be done as part of the normal scheduled update cycle for Windows updates or other 3rd party product updates and will happen in the background provided that the option to manage secure channel password updates is selected.
This option is found in the Configuration Administrator on the Advanced Options tab as “Manage Secure Channel Password” and is enabled by default.’
Please Note: This setting will not be effective if you have a policy on your domain controller that forces the passwords to expire after a set period of time. If this is the case machines must be thawed frequently enough to ensure that passwords can update before they become invalid.
Disable the machine account password changes.
It is possible to configure the domain controllers and the workstations to not change the passwords on the machine accounts with the registry keys below.
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Name: RefusePasswordChange Type: REG_DWORD Value: 1
You can also extend the number of days between changes by applying to domain controllers and workstations.
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Name: MaximumPasswordAge Type: REG_DWORD Value: #days up to 1,000,000
These can also be configured in the group policy editor (local or domain) under;
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
- Domain member: Disable machine account password changes
- Domain Member: Maximum age for machine account password
- Domain controller: Refuse machine account password changes
OSX Workstations
Workstations running OSX that are configured to authenticate against Active Directory can experience the same type of issue. To resolve this issue the OSX workstations will need to be configured to not update the secure channel password. The process for changing this setting is below:
1) If the client is bound to Active Directory, un-bind it before continuing.
2) Log into the client Mac as an administrator.
3) Open Terminal (located in /Applications/Utilities).
4) Execute the following command to require a password change after X days (where X is the number of days, such as 30):
dsconfigad -passinterval X
5) Enter your administrator password to confirm the change.
6) Bind the client to Active Directory.
Taken from: http://support.apple.com/kb/HT3422
Migration Specialist Name
Comments