First published on TechNet on Feb 13, 2009
Hi, this is Manish Singh from the Directory Services team and I am going to talk about the machine account password process. Ever wondered what goes on ...
Updated Apr 27, 2020
Version 14.0
Blog Post
No clear answer to this behavior.
Did Microsoft changed this behavior during covid-19 ?
If the machine was unable to communicate with a domain controller for 60 days, then we have a secure channel issue
As I understand if the current password and the cached password didn't match with AD computer password (so 60 days without AD contact an PC was running outside the network) the message: The trust relationship between this workstation and the primary domain failed was thrown if the computer contacts a domain controller after 60 days.
now :
Update April 2020: While the above scenario may have been possible when the article was originally written, Windows 7 SP1 clients and later will never reset the local registry LSA secret if it fails to reset the AD object’s corresponding UnicodePWD attribute -- in other words: Local password change will never occur unless a DC is able to process the change.
It seems that the PC doesn't initiate a password change if a DC is not available to process it.
Can someone confirm this behavior ?
Thanks