Saturday, September 28, 2013

Virtual Machines, Snapshots and Domain Membership

I have a number of virtual machines that I use for QA. All of these machines have snapshots for easy rollback and all are members in an Active Directory (AD) domain. One of my goals has been to allow all the users in the domain to have administrative rights for these virtual machines, but getting that working has encountered a few hiccups.

Every once in a while, the domain membership breaks. When trying to log in with a domain login through RDP, I get an authentication error, specifically: The Local Security Authority cannot be contacted. When trying to log into the machine directly (through the vSphere Client) using the same domain login, I get a different a different - but also vague error: The trust relationship between this workstation and the primary domain failed.

The short and recommended answer is to rejoin the machine to the domain. This can be done in several creative ways in addition to Microsoft's recommendation, but it doesn't really solve the problem. Microsoft's article does give me a little more insight, though. "For Windows 2000 or Windows XP, the default computer account password change period is every 30 days." The article was written many, many moons ago, but this behavior hasn't changed with newer versions of Windows.

Roughly translated, every 30 days or so, a Windows machine that is part of a domain, renegotiates its connection to the domain. Basically, Windows changes its "machine password" on the domain controller. This new password is only known by the domain controller(s) and the machine. What this means for me is that every time I rollback one of my QA virtual machines, Windows loses its new password and goes back to using its previous password - the one created before the snapshot.

Considering these machines are going to be rolled back to a snapshot often, having to rejoin them to the domain after every rollback is not a viable option. A better solution would be to stop the trust from breaking in the first place. This is actually something I can accomplish pretty quickly thanks to the article Machine Account Password Process from the Ask the Directory Services Team blog.

Unlike Windows user passwords, machine passwords don't expire; they are entirely client driven - meaning the Windows machine itself decides whether to change the password or not. So, as long as no one messes up the Computer account in AD, as long as the machine doesn't change its machine password, we are good to go.

Thanks to that article, there are a couple of ways I can accomplish this, both of them through GPOs.

If you haven't read it and like knowing nitty-gritty details, I highly recommend reading the Machine Account Password Process article.