If you are often jumping back and forth between snapshots in your virtualized environment, you have probably had problems with computers that are unable to establish a secure connection with the domain. Basically, you have to rejoin the computer to the domain or reset password for the computer account, after restoring a snapshot. And you may question yourself, why this happens sometimes but not always?
You may see this in the eventlog
The session setup from the computer DomainMember failed to authenticate.
The name of the account referenced in the security database is DomainMember$.
The following error occurred: Access is denied.
The short explanation is, the password for the computers domain account does not match the one in AD, and have to be reset by either resetting the password or rejoining the domain.
There is a Local Security setting, which you can set on those computers that you need to restore (it’s a per computer setting so you don’t have to apply it to all of your computers). I usually do this in my Lab and Demo environments, so I can restore individual snapshots without worrying about this.
Just “Enable” the policy:
Domain member: Disable machine account password changes
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
That will prevent those computers from changing their password in AD, so it will always match no matter which snapshot you jump back and forth to.
Though, the password changes for the computer account is a security precaution, disabling them could make it possible for a malicious user to get hold of the computer password and use it to Authenticate to the domain to read information.
The long(er) explanation:
A computer account is like a User Account, except for a few things. Like that a computer account password never expires, So even if you define that your users have to set a new password every 30 days, your computer accounts could use the same password for ever.
A Windows computer (client or server) will do a client side initiated password change according to the policy.
Domain member: Maximum machine account password age
This security setting determines how often a domain member will attempt to change its computer account password.
Default: 30 days.
This means, that the client will by default initiate a password change every 30 day, when it has contact with the Domain. If the password change is successful, it will store the previous password as “OldVal” (Old Value) and the new Password as “CurrVal” (Current Value) in the registry at HKLM\SECURITY\Policy\Secrets\$machine.ACC.
If the client does not have contact with the Domain but the password is older than 30 days, it’s going to check (by default) every 15 minute if there is a Secure Channel to a DC and if it can initiate a password change.
When a client is booting, it will try to logon to the domain with the current password, if that fails, it will try with the previous password as a fail safe, in case the new password has not replicated to the other DC’s yet.
The reason a computer can join a domain with a pre-staged account where you as a user does not have the “Domain Join” permissions, is that the computer will simply logon with username: computername and password: computername$ (small letters with a $ at the end), and when the client has joined the domain, it will initiate a password reset and set a secure password.
And as stated above, the cool thing is that these policy settings are per computer. So you can use the 30 days default for all of your domain, except for a few computers that’s being used in testing or for application packaging where you regularly restore your snapshots.
The 30 day password change, is also the reason it’s so common to search the AD for inactive computer accounts by looking at the last password change. If the client has not changed password in the last ~90 days, it’s probably not in use anymore and the computer account can be deleted or inactivated.
There is a great article on this subject “Machine Account Password Process” written by the Microsoft “Directory Services Team” if you want even more in-depth information on Computer Account Passwords.