Preventing Kerberos Ticket Expiration

TheMSsForum.com: The Microsoft Software Forum

I have two MS Virtual Servers that are running in production. I keep an
exact copy of the VM's on disk for disaster recovery purposes. All my DR
restoration tests have failed because the Kerberos ticket expires between the
time the copy is made and the time the copy is restored (from 1-4 weeks in
the tests.) A copy that is restored within a day works fine.

So I need a way to disable the expiration of the Kerberos ticket for these
specific VM's. Is it possible to create a new Kerberos policy that over
rides the default domain security policy? Is this the best way to do this?
Are there any other options?

Thanks,
Joe
Top

Re: Preventing Kerberos Ticket Expiration by Paul

Paul
Wed Dec 26 10:35:24 CST 2007

On Wed, 26 Dec 2007 08:23:00 -0800, Joe wrote:

> I have two MS Virtual Servers that are running in production. I keep an
> exact copy of the VM's on disk for disaster recovery purposes. All my DR
> restoration tests have failed because the Kerberos ticket expires between the
> time the copy is made and the time the copy is restored (from 1-4 weeks in
> the tests.) A copy that is restored within a day works fine.
>
> So I need a way to disable the expiration of the Kerberos ticket for these
> specific VM's. Is it possible to create a new Kerberos policy that over
> rides the default domain security policy? Is this the best way to do this?
> Are there any other options?


It isn't the Kerberos ticket that's the problem here but rather the
password used for the computer account to setup and maintain the secure
channel to the DCs.
You can either reset the secure channel or simply disable the password
change. On the member servers, find DisablePasswordChange in the registry
and set its value to 1. You'll need to do this on both the physical and
virtual copies.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
A bug in the hand is better than one as yet undetected.
Top

Re: Preventing Kerberos Ticket Expiration by jwgoerlich

jwgoerlich
Wed Dec 26 10:37:34 CST 2007

Hello Joe,

Is the problem Kerberos or the machine password?

I ask because I have seen problems restoring after several weeks.
These are typically computer password related. I prevent the problem
increasing MaximumPasswordAge and, if they occur, correct the problem
by rejoining the domain. Could you check out article 295049 and let us
know if this resembles what you are seeing?

J Wolfgang Goerlich


Related Links:

Microsoft Article 295049, Issues with domain membership after a system
restore
http://support.microsoft.com/kb/295049

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
http://technet2.microsoft.com/windowsserver/en/library/0825816c-94e5-4a7f-be=
42-cbad6be4be501033.mspx?mfr=3Dtrue

On Dec 26, 11:23=A0am, Joe <J...@discussions.microsoft.com> wrote:
> I have two MS Virtual Servers that are running in production. =A0I keep an=

> exact copy of the VM's on disk for disaster recovery purposes. =A0All my D=
R
> restoration tests have failed because the Kerberos ticket expires between =
the
> time the copy is made and the time the copy is restored (from 1-4 weeks in=

> the tests.) =A0A copy that is restored within a day works fine.
>
> So I need a way to disable the expiration of the Kerberos ticket for these=

> specific VM's. =A0Is it possible to create a new Kerberos policy that over=

> rides the default domain security policy? =A0Is this the best way to do th=
is? =A0
> Are there any other options?
>
> Thanks,
> Joe

Top

Re: Preventing Kerberos Ticket Expiration by Joe

Joe
Wed Dec 26 10:58:00 CST 2007

Wolfgang,
Thanks for the quick and detailed response. I agree that the problem is
with the machine password. I was using the wrong terminology. Your links
below are a great help.

Thanks, and Happy New Year!
Joe

"jwgoerlich@gmail.com" wrote:

> Hello Joe,
>
> Is the problem Kerberos or the machine password?
>
> I ask because I have seen problems restoring after several weeks.
> These are typically computer password related. I prevent the problem
> increasing MaximumPasswordAge and, if they occur, correct the problem
> by rejoining the domain. Could you check out article 295049 and let us
> know if this resembles what you are seeing?
>
> J Wolfgang Goerlich
>
>
> Related Links:
>
> Microsoft Article 295049, Issues with domain membership after a system
> restore
> http://support.microsoft.com/kb/295049
>
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> http://technet2.microsoft.com/windowsserver/en/library/0825816c-94e5-4a7f-be42-cbad6be4be501033.mspx?mfr=true
>
> On Dec 26, 11:23 am, Joe <J...@discussions.microsoft.com> wrote:
> > I have two MS Virtual Servers that are running in production. I keep an
> > exact copy of the VM's on disk for disaster recovery purposes. All my DR
> > restoration tests have failed because the Kerberos ticket expires between the
> > time the copy is made and the time the copy is restored (from 1-4 weeks in
> > the tests.) A copy that is restored within a day works fine.
> >
> > So I need a way to disable the expiration of the Kerberos ticket for these
> > specific VM's. Is it possible to create a new Kerberos policy that over
> > rides the default domain security policy? Is this the best way to do this?
> > Are there any other options?
> >
> > Thanks,
> > Joe
>
>
Top

Re: Preventing Kerberos Ticket Expiration by Joe

Joe
Wed Dec 26 11:00:01 CST 2007

Paul,
Wow, two great answers to my post within 5 minutes! I think this is a record.

Thanks for your reply. You are correct, I should have been referring to the
machine password, not kerberos. You suggestion to disable the password
change is probably the most direct approach, since I want a restore procedure
that Level 1 can perform. Since this probably requires a reboot of the
machines, I will have to wait a few days to test this.

Thanks again, and Happy New Year!
Joe


"Paul Adare" wrote:

> On Wed, 26 Dec 2007 08:23:00 -0800, Joe wrote:
>
> > I have two MS Virtual Servers that are running in production. I keep an
> > exact copy of the VM's on disk for disaster recovery purposes. All my DR
> > restoration tests have failed because the Kerberos ticket expires between the
> > time the copy is made and the time the copy is restored (from 1-4 weeks in
> > the tests.) A copy that is restored within a day works fine.
> >
> > So I need a way to disable the expiration of the Kerberos ticket for these
> > specific VM's. Is it possible to create a new Kerberos policy that over
> > rides the default domain security policy? Is this the best way to do this?
> > Are there any other options?
>
>
> It isn't the Kerberos ticket that's the problem here but rather the
> password used for the computer account to setup and maintain the secure
> channel to the DCs.
> You can either reset the secure channel or simply disable the password
> change. On the member servers, find DisablePasswordChange in the registry
> and set its value to 1. You'll need to do this on both the physical and
> virtual copies.
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> A bug in the hand is better than one as yet undetected.
>
Top