This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 45%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hi,
I successfully setup my OnPremise AD domain and office 365 With "Azure AD Connect" and successfully setup the ADFS for authentication.
I also enabled the Hybrid Join Feature for my clients.
All works fine.
My answer is:
what happens to notebooks that do not contact the domain controller for a long time? These are the devices of the consultants who are never on site. Do they lose the trust relationship? Do password caches expire preventing login?
How can I prevent these problems?
I knew that DirectAccess can solve this problem. Can I install it on the Domain Controller where AD Connect and ADFS are already installed? Is there any alternative?
Thanks!
Scenario:
“Users have their PCs at home and are without VPN/connectivity. Many are disconnected for longer than the machine password age setting in my AD. Will there be secure channel/device password issues when people come back into the office and plug back into the LAN? Will users see this at sign-in?”
The answer is “No” - and here’s why:
The password change process on your remote worker’s PCs will kick-off at some point after the MaximumPasswordAge interval is exceeded on the PC. However, in the ‘no AD connectivity’ situation, a DC won’t be discovered/reachable. The machine password change process ‘logic’ is such that if the client can’t connect to a DC, “the process” will shut itself down before the PC’s local registry is updated with a new password - nothing changes on the client.
When these PCs come back to the office in xxx days (or get full VPN connectivity to a DC or whatever), the password change process on the PC will “wake up” again and re-attempt the domain password change process. This time, assuming the PC will be able to find a DC, the process will complete its machine password change (and its corresponding registry update) - and then communicate that new value to the DC it found. This DC updates the password attribute of the computer object in its copy of AD, and then AD replication takes that new value out to other DCs. All will be well.
The netlogon process on the client has been trying this, every so often, while offline - but the process always bailed-out because it couldn’t find/reach a DC.
Can I install it on the Domain Controller where AD Connect and ADFS are already installed?
No, Direct Access server can't be a domain controller and must be a member server.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi Wich GPO can I use to increase the time before secure Channels break?
How many time the notebooks cache the users passowrd?
Best regars
Hi Wich GPO can I use to increase the time before secure Channels break?
How many time the notebooks cache the users passowrd?
Best regars
@Marco Milone · Please refer to below highlighted policy for this purpose.
The last credentials used for successful authentication are cached and the cached passwords are stored in credentials manager which uses persistent memory.
the member computers must connect with the domain controllers via same physical network or via VPN otherwise secure channel breaks after 30 days (by default and can be configured via GPO)
That is not correct!
The domain member initiates the password rotation, and does only so if it can establish a secure connection to a writable domain controller.
If a domain member does not connect to the domain network, does not find a writable domain controller or is turned off, then the computer account password in the domain and on the domain member will not be changed.
@Marco Milone Make sure you have a look at this article: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/secure-channel-expired-machine-account-password-concerns/ba-p/1333535