Computer Accounts expire after 30 days?

rwwest7

Can anyone confirm this: While learning PKI, I was told that it's best practice to NOT make your root CA an Enterprise CA. Because you would be taking it offline for security reasons, then after 30 days the computer account would expire. Next you power it on would have to reset it's account in AD then remove and re-add it to the domain. Is this true?

Reason I'm asking is we are issueing laptops to almost all our staff, so if they take them on vacation and don't login at the office for 30 days will they're computer accounts be expired?

Claymoore

This article should help clear things up:

Ask the Directory Services Team : Machine Account Password Process

So, as I understand it, if the machine is OFF for more than 30 days nothing happens because the password change is initiated by the client computer - not active directory. If the machine were ON but not connected to the network for 30 days, the client would reset its password but not update AD and then would not be able to authenticate later.

Since the server would be turned off, there would be no problems.

Since your laptops would be on but not connected, there would be an issue. You can change the 30 day value to something much higher via Group Policy, however. Consult the above article for the settings.

If you use a standalone CA rather than an Enteprise CA, you can't use the autoenrollment features necessary for features like NAP.

dynamik

Do you have subordinate CAs? If you're just using your root to issue to some subordinates, make it a stand-alone and keep it offline. If you're a smaller organization and that's your own CA, just make it an enterprise and leave it online. The reason you take it offline is that if it gets compromised, you have to start from scratch.

If you only use a small number of certificates, there's no point in having more than one CA. Why issue to a single subordinate CA and use that? You'd be in the exact same position had you been using your root CA. In either scenario, one CA getting compromised will compromise everything.

Compare this to an organization that has a dozen CAs and tens of thousands of certificates. Having your root getting compromised in that situation will cause a much more significant problem than had it been offline and only one of the subordinate CAs been compromised (since only the certificates under that one would be affected).

rwwest7

I'm not concerned about CA's at all. It was in learning them that I found the machine account password expires in 30 thing. Since it would take me 30 days to test this in the lab, I was hoping someone may have thought of this situation before and tested it.
I have 200 teachers taking laptops home this summer, obviously they won't be logging into the school network for at least 30. So when they come back at the beginning of next school year am I going to be reseting 200 domain computer accounts and removing and re-adding 200 laptops to the domain? Yikes!!

rwwest7

Claymoore wrote: »

This article should help clear things up:

Ask the Directory Services Team : Machine Account Password Process

So, as I understand it, if the machine is OFF for more than 30 days nothing happens because the password change is initiated by the client computer - not active directory. If the machine were ON but not connected to the network for 30 days, the client would reset its password but not update AD and then would not be able to authenticate later.

Since the server would be turned off, there would be no problems.

Since your laptops would be on but not connected, there would be an issue. You can change the 30 day value to something much higher via Group Policy, however. Consult the above article for the settings.

If you use a standalone CA rather than an Enteprise CA, you can't use the autoenrollment features necessary for features like NAP.

I believe your root CA can be stand alone, and then your subordinate CA's can then be Enterprise. You would keep your stand alone Root CA offline. The reason for making your root CA stand alone is so you can keep it offline and not worry about the domain account expiring.

astorrs

rwwest7 wrote: »

I believe your root CA can be stand alone, and then your subordinate CA's can then be Enterprise. You would keep your stand alone Root CA offline. The reason for making your root CA stand alone is so you can keep it offline and not worry about the domain account expiring.

Actually the real problem is not the account expiring, it's if an Enterprise CA is offline the certificate chain cannot be verified - Windows expects them to be available - whereas a standalone CA is expected to be unavailable so that part of the chain is considered valid whether or not the machine can be contacted.

royal

astorrs wrote: »

Actually the real problem is not the account expiring, it's if an Enterprise CA is offline the certificate chain cannot be verified - Windows expects them to be available - whereas a standalone CA is expected to be unavailable so that part of the chain is considered valid whether or not the machine can be contacted.

Well that and the other main reason being for security purposes so your root doesn't get hacked.

astorrs

LOL yes royal that too

rwwest7

astorrs wrote: »

Actually the real problem is not the account expiring, it's if an Enterprise CA is offline the certificate chain cannot be verified - Windows expects them to be available - whereas a standalone CA is expected to be unavailable so that part of the chain is considered valid whether or not the machine can be contacted.

That sounds right. It's just that on the CBT Nuggets videos he said keeping an Enterprise CA offline for 30 days would make the computers account expire. Maybe he was just wrong. I'm pretty sure I've had domain computers shut down for more than 30 days and then used them again with no problems.