Kuenni
commented
4 days ago +1 for some guidance!
My opinion: I would recommend against setting SCRIL because of the mentioned forest recovery scenario. Instead I would plan for proper password strength, storage of password, retrieval processes and good monitoring of the account.
Hi Windows Server Team,
The recommendation in the document is contradictory and cannot be implemented like this. The document recommended to set Default Domain Admin account with the account option "Smart card is required for interactive logon".
Based on test and the following link, a 128 bit random password is set for an account when setting the account option "Smart card is required for interactive logon". As a result, no one knows the password of the default domain admin after activating the account option. To use the account, the account option must first be deactivated and a new password must be set.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy#configure-user-accounts-to-disallow-password-authentication
Here is the contradiction to the AD Forest Recovery Guide. In the AD Forest Recovery Guide it is mandatory to know the password of the Default Domain Admin, because only with this password it is possible to log in without GC. But in a recovery case nobody knows the password of the default domain admin, because the account option "Smart card is required for interactive logon" was set. This leads to the fact that a forest recovery is no longer possible.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-single-domain-in-multidomain-recovery#rehost-all-gcs
What is valid? Should the default domain admin be configured with the account option or do we need to know the password of the default domain admin in case of recovery scenario.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.