Virtual Machines, Snapshots, Domain Membership, and trust relationship

Ok, so many of you have reverted to a snapshot of a virtual machine that is a member of an Active Directory domain only to see the error message saying something like this:

In XP:
“Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.”

In Windows 7:
“The trust relationship between this workstation and the primary domain failed.”

This happens whether you are using VMWare or VirtualBox. It also happened back when we were re-imaging to “revert” our drives.

This is caused because the Machine creates an account on the Domain. It actually maintains its own password and updates its own password every 30 days.  So as soon as the Machine account’s password is updated, you are going to be in this state.

Well, I started thinking that there has to be a solution for this. I found this article:
Working with Domain Member Virtual Machines and Snapshots

It mentions a possible option.

“Increase the computer account password age, or disable password changes altogether. Both these can reduce likelihood of the problem, but may reduce the level of security in the domain. On the other side, since this is probably a test, a QA or a demo environment, you may consider it as a valid option . These settings are available on the domain member (and not on the domain controller), and as such, you can change them on your computer before you create a snapshot out of it.”

While he mentions that it can be done, he doesn’t mention how to do it.  There is a Microsoft Knowledge-base article about this.  This is a WIndows 2000 article, but I will have to verify that it works in later versions.
How to disable automatic machine account password changes

It basically says to set this registry key:

KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Property: DisablePasswordChange
Value: 1

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001

You may be able to do this on the Domain controller, by using this setting:

KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Property: RefusePasswordChange
Value: 1

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"RefusePasswordChange"=dword:00000001

So I am going to try the first one, as it doesn’t require a global setting on the domain.  Lets see if it really works.

Update

I put the first registry key on all my VMs back when this was posted, which looks like October 22, 2010.  I haven’t had the problem since, so I would say this solution works.

I don’t know if the second key that goes on a Domain Controller works.  Maybe some one can try it out for me.

14 Comments

  1. gite-chambre-hotes.com says:

    gite-chambre-hotes.com

    Virtual Machines, Snapshots, Domain Membership, and trust relationship | Rhyous

  2. Wray says:

    Wray

    Virtual Machines, Snapshots, Domain Membership, and trust relationship | Rhyous

  3. [...] For more information, read this post: Virtual Machines, Snapshots, Domain Membership, and trust relationship [...]

  4. Shimon Tolts says:

    Thank you !

  5. Michael says:

    Okay, running into the same issue. When this is set in the VM, does that mean you can log in with current AD credentials? Password and all? Or are you stuck at the most recent AD credential?

    • Michael says:

      To clarify in my clumsy knowledge of AD how it works... In other words, so disable the password changes, next time we log in within AD the credential should be updated and trust restored to current state?

      • Michael says:

        Am I the only one? Once you've got a VM that's in that state, restored to prior, what then? Setting the registry setting doesn't seem to fix it. So the answer is in the Group Policy settings?

        • Rhyous says:

          This is a setting you are supposed to add before you create a snapshot. If you are already in this state, the registry key won't fix it. Once you are in this state, you should rejoin the domain and then set the registry key, delete your old snapshot and create new one.

    • Rhyous says:

      Yes. The problem is not the user credentials, it is the machine's credentials. If the machine doesn't change credentials ever, you never loose the domain trust.

  6. Brian says:

    Does this setting just need to be done on the local host machine or each virtual instance as well?

  7. EvilWasp says:

    Well we tried this had the same problem. However, i didnt do the changes myself so i am thinking maybe the QA guys didnt do the regedit. Anyways just wanted to check up if you had the same problem again? since its almost a year :p

Leave a Reply

How to post code in comments?