Preventing Kerberos Ticket Expiration

J

Joe

I have two MS Virtual Servers that are running in production. I keep an
exact copy of the VM's on disk for disaster recovery purposes. All my DR
restoration tests have failed because the Kerberos ticket expires between the
time the copy is made and the time the copy is restored (from 1-4 weeks in
the tests.) A copy that is restored within a day works fine.

So I need a way to disable the expiration of the Kerberos ticket for these
specific VM's. Is it possible to create a new Kerberos policy that over
rides the default domain security policy? Is this the best way to do this?
Are there any other options?

Thanks,
Joe
 
P

Paul Adare

On Wed, 26 Dec 2007 08:23:00 -0800, Joe wrote:

> I have two MS Virtual Servers that are running in production. I keep an
> exact copy of the VM's on disk for disaster recovery purposes. All my DR
> restoration tests have failed because the Kerberos ticket expires between the
> time the copy is made and the time the copy is restored (from 1-4 weeks in
> the tests.) A copy that is restored within a day works fine.
>
> So I need a way to disable the expiration of the Kerberos ticket for these
> specific VM's. Is it possible to create a new Kerberos policy that over
> rides the default domain security policy? Is this the best way to do this?
> Are there any other options?


It isn't the Kerberos ticket that's the problem here but rather the
password used for the computer account to setup and maintain the secure
channel to the DCs.
You can either reset the secure channel or simply disable the password
change. On the member servers, find DisablePasswordChange in the registry
and set its value to 1. You'll need to do this on both the physical and
virtual copies.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
A bug in the hand is better than one as yet undetected.
 
J

jwgoerlich@gmail.com

Hello Joe,

Is the problem Kerberos or the machine password?

I ask because I have seen problems restoring after several weeks.
These are typically computer password related. I prevent the problem
increasing MaximumPasswordAge and, if they occur, correct the problem
by rejoining the domain. Could you check out article 295049 and let us
know if this resembles what you are seeing?

J Wolfgang Goerlich


Related Links:

Microsoft Article 295049, Issues with domain membership after a system
restore
http://support.microsoft.com/kb/295049

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
http://technet2.microsoft.com/windo...94e5-4a7f-be42-cbad6be4be501033.mspx?mfr=true

On Dec 26, 11:23 am, Joe <J...@discussions.microsoft.com> wrote:
> I have two MS Virtual Servers that are running in production.  I keep an
> exact copy of the VM's on disk for disaster recovery purposes.  All my DR
> restoration tests have failed because the Kerberos ticket expires between the
> time the copy is made and the time the copy is restored (from 1-4 weeks in
> the tests.)  A copy that is restored within a day works fine.
>
> So I need a way to disable the expiration of the Kerberos ticket for these
> specific VM's.  Is it possible to create a new Kerberos policy that over
> rides the default domain security policy?  Is this the best way to do this?  
> Are there any other options?
>
> Thanks,
> Joe
 
J

Joe

Wolfgang,
Thanks for the quick and detailed response. I agree that the problem is
with the machine password. I was using the wrong terminology. Your links
below are a great help.

Thanks, and Happy New Year!
Joe

"jwgoerlich@gmail.com" wrote:

> Hello Joe,
>
> Is the problem Kerberos or the machine password?
>
> I ask because I have seen problems restoring after several weeks.
> These are typically computer password related. I prevent the problem
> increasing MaximumPasswordAge and, if they occur, correct the problem
> by rejoining the domain. Could you check out article 295049 and let us
> know if this resembles what you are seeing?
>
> J Wolfgang Goerlich
>
>
> Related Links:
>
> Microsoft Article 295049, Issues with domain membership after a system
> restore
> http://support.microsoft.com/kb/295049
>
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> http://technet2.microsoft.com/windo...94e5-4a7f-be42-cbad6be4be501033.mspx?mfr=true
>
> On Dec 26, 11:23 am, Joe <J...@discussions.microsoft.com> wrote:
> > I have two MS Virtual Servers that are running in production. I keep an
> > exact copy of the VM's on disk for disaster recovery purposes. All my DR
> > restoration tests have failed because the Kerberos ticket expires between the
> > time the copy is made and the time the copy is restored (from 1-4 weeks in
> > the tests.) A copy that is restored within a day works fine.
> >
> > So I need a way to disable the expiration of the Kerberos ticket for these
> > specific VM's. Is it possible to create a new Kerberos policy that over
> > rides the default domain security policy? Is this the best way to do this?
> > Are there any other options?
> >
> > Thanks,
> > Joe
>
>
 
J

Joe

Paul,
Wow, two great answers to my post within 5 minutes! I think this is a record.

Thanks for your reply. You are correct, I should have been referring to the
machine password, not kerberos. You suggestion to disable the password
change is probably the most direct approach, since I want a restore procedure
that Level 1 can perform. Since this probably requires a reboot of the
machines, I will have to wait a few days to test this.

Thanks again, and Happy New Year!
Joe


"Paul Adare" wrote:

> On Wed, 26 Dec 2007 08:23:00 -0800, Joe wrote:
>
> > I have two MS Virtual Servers that are running in production. I keep an
> > exact copy of the VM's on disk for disaster recovery purposes. All my DR
> > restoration tests have failed because the Kerberos ticket expires between the
> > time the copy is made and the time the copy is restored (from 1-4 weeks in
> > the tests.) A copy that is restored within a day works fine.
> >
> > So I need a way to disable the expiration of the Kerberos ticket for these
> > specific VM's. Is it possible to create a new Kerberos policy that over
> > rides the default domain security policy? Is this the best way to do this?
> > Are there any other options?
>
>
> It isn't the Kerberos ticket that's the problem here but rather the
> password used for the computer account to setup and maintain the secure
> channel to the DCs.
> You can either reset the secure channel or simply disable the password
> change. On the member servers, find DisablePasswordChange in the registry
> and set its value to 1. You'll need to do this on both the physical and
> virtual copies.
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> A bug in the hand is better than one as yet undetected.
>
 
You must log in or register to reply here.

Similar threads

R
Windows Server 2025 Secured-core Server
Replies
0
Views
36
RoySasabe
R
J
The Future of Windows Server Hyper-V is Bright!
Replies
0
Views
80
Jeff Woolsey
J
P
  • Article
Unlock a new era of innovation with Windows Copilot Runtime and Copilot+ PCs
Replies
0
Views
63
Pavan Davuluri
P
C
Windows 10 HOME password expires soon. How to stop expiration
Replies
0
Views
141
Cokaigne
C
T
Kerberos Encryption differs for krbtgt and everything else
Replies
0
Views
2K
taniv
T
Back
Top Bottom