Tuesday 19 March 2013

VMs, snapshots and domain computer accounts.

Have you ever had the problem where you have reverted a VM's snapshot to find that it's computer password is out of sync with the domain? I have, loads of times. This is often seen with the following message when you attempt to log in: "Windows cannot connect to the domain, either because the domain
controller is down or otherwise unavailable, or because your computer
account was not found."

The problem is that Windows machines on a Domain change their computer account passwords with a Domain controller every 30 Days. If a machine changes it's computer password with a domain controller and you then revert to a snapshot that was taken before the password was changed the computer account will no longer be able to authenticate on the network and domain users won't be able to logon.

How do you get around this? One way is in Microsoft's KB article 154501.

This can reduce the security on your domain, or at least the security between the DC and the workstation you make the following registry changes on but if you have a testing setup like I do this is not much of a problem and the convenience easily outweighs any security issues (in my opinion :).
You can set the DisablePasswordChange registry entry to 1 in :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

That has now stopped this machine from changing it's domain password every 30 days. Now we need to get the machine back onto the domain, to achieve this do one of the following:

A. Remove the computer from the domain and add it back in again. Easy enough you say. I have a lot of test machines floating about that don't always have the same local administrator password. So it is a good idea to make sure that you know a local administrators password before you remove the machine from the domain otherwise you will end up with a machine you cannot access via windows (all is not necessarily lost, trinity rescue kit can help here).

B. Remove and rejoin the machine to the domain using the netdom.exe command:
netdom remove <machine name> /Domain:<domain name> /userd:<domain name>\<domain administrator account name> /passwordd:<domain administrator password>
Wait for the response:
The command completed successfully.
Then run:
netdom join <machine name> /Domain:<domain name> /userd:<domain name>\<domain administrator account name> /passwordd:<domain administrator password>
Again we are looking for the response:
The command completed successfully.
It is probably best to reboot the machine at this point, it is a windows machine after all we were messing with the domain membership and I simply would trust a machine in this state to function as expected unless it is rebooted.