October 22, 2010

Virtual Machines, Snapshots, Domain Membership, and trust relationship

Filed under: VirtualBox,Virtualization,VMWare — J. Abram barneck @ 8:35 am

Ok, so many of you have reverted to a snapshot of a virtual machine that is a member of an Active Directory domain only to see the error message saying something like this:

In XP:
“Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.”

In Windows 7:
“The trust relationship between this workstation and the primary domain failed.”

This happens whether you are using VMWare or VirtualBox. It also happened back when we were re-imaging to “revert” our drives.

This is caused because the Machine creates an account on the Domain. It actually maintains its own password and updates its own password every 30 days.  So as soon as the Machine account’s password is updated, you are going to be in this state.

Well, I started thinking that there has to be a solution for this. I found this article:
Working with Domain Member Virtual Machines and Snapshots

It mentions a possible option.

“Increase the computer account password age, or disable password changes altogether. Both these can reduce likelihood of the problem, but may reduce the level of security in the domain. On the other side, since this is probably a test, a QA or a demo environment, you may consider it as a valid option . These settings are available on the domain member (and not on the domain controller), and as such, you can change them on your computer before you create a snapshot out of it.”

While he mentions that it can be done, he doesn’t mention how to do it.  There is a Microsoft Knowledge-base article about this.  This is a WIndows 2000 article, but I will have to verify that it works in later versions.
How to disable automatic machine account password changes

It basically says to set this registry key:

KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Property: DisablePasswordChange
Value: 1

You may be able to do this on the Domain controller, by using this setting:

KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Property: RefusePasswordChange
Value: 1

So I am going to try the first one, as it doesn’t require a global setting on the domain.  Lets see if it really works.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: