Hello,
Can someone please help me with the following question,
If you have been using AD for any length of time you probably come across the senario where a computer cannot logon to the domain and you need to reset the computer account password (netdom, powershell etc.)
So I wanted to understand more about computer account password changes and how the above can happen so I read the following article
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/
However the article appears to contradict itself, for example
it states the 'computer' ( the netlogon service on the computer) is responsible for changing the computer account password and 'never' AD. In other words (unless an administrator resets the computer account), AD will never change the password of a computer account.
So if you think about the above statement there should never be a case where the computer account password stored on the computer itself and the once in AD (against the computer object) should be out of sync.
The article then goes on to say,
the computer will change its password locally (first) then try to sync this change to AD, if it cannot comminicate with AD it will wait until the next scheduled interval (15 minutes by default) and try again, and again (until it can comminucate with AD).
it also says the computer and AD both keep a note of the 'previous' password so logically at all times even if the computer cannot sync the new password it just created to AD (and keeps on trying as above), then at least the computer and AD will both have the previous password then can both use to maintain the secure channel.
So again looking at the above, it would be logical that the computer account will always be able to authentication to AD (even it it had to use the previous password).
However at the end of the article if tries to show how the current and previous password on the computer and the ones in AD can be different (out of sync) but does not explain how to come about.
Therefore I assume the following, which is where I need clarification
I can only assume if the computer account changes it password then tries to sync with AD but cannot, and therefore keeps trying, but 31 days go by (e.g. the computer has been trying to sync its new password with AD every 15 minutes but failing and 31 days have now passed). The computer will think it is time to change my password 'again' (despite the fact it has not manged to sync the last time it change its password), then change the password 'again' storing the last password change (that did not sync) in the previous password value and then try to sync the new password (e.g. the new new one if you like) to the DC. At this point both the computer passwords (current and previous) would be different on the computer and in AD.
Is my assumption correct ? as this is not explained in the article
Thanks
CXMelga