Ok, so many of you have reverted to a snapshot of a virtual machine that is a member of an Active Directory domain only to see the error message saying something like this:
“Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.”
In Windows 7:
“The trust relationship between this workstation and the primary domain failed.”
This happens whether you are using VMWare or VirtualBox. It also happened back when we were re-imaging to “revert” our drives.
This is caused because the Machine creates an account on the Domain. It actually maintains its own password and updates its own password every 30 days. So as soon as the Machine account’s password is updated, you are going to be in this state.
Well, I started thinking that there has to be a solution for this. I found this article:
Working with Domain Member Virtual Machines and Snapshots
It mentions a possible option.
“Increase the computer account password age, or disable password changes altogether. Both these can reduce likelihood of the problem, but may reduce the level of security in the domain. On the other side, since this is probably a test, a QA or a demo environment, you may consider it as a valid option . These settings are available on the domain member (and not on the domain controller), and as such, you can change them on your computer before you create a snapshot out of it.”
While he mentions that it can be done, he doesn’t mention how to do it. There is a Microsoft Knowledge-base article about this. This is a WIndows 2000 article, but I will have to verify that it works in later versions.
How to disable automatic machine account password changes
It basically says to set this registry key:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters] "DisablePasswordChange"=dword:00000001
You may be able to do this on the Domain controller, by using this setting:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "RefusePasswordChange"=dword:00000001
So I am going to try the first one, as it doesn’t require a global setting on the domain. Lets see if it really works.
I put the first registry key on all my VMs back when this was posted, which looks like October 22, 2010. I haven’t had the problem since, so I would say this solution works.
I don’t know if the second key that goes on a Domain Controller works. Maybe some one can try it out for me.