Problems with virtual machines and domain membership

Problems with virtual machines and domain membership

  • Comments 7

Every now and then some one will contact me for help, saying "I have a virtual machine that was working just fine - and now it refuses to log into the domain to which it is joined".  Assuming that networking is working fine (and sometimes this is caused by someone fiddling with their network settings and not realizing the consequences :-) this is usually caused by the fact that the domain controllers no longer trust your virtual machine.  There can be two reasons for this to happen:

  1. Your virtual machine has not logged into the domain in quite a while.

    All Active Directory domains have a 'time out' value - where if a computer is not seen on the network for a given period of time - its account is deleted (okay - tomb stoned - but I am not going to go into the details on that).  This usually happens after 90 days.  If this happens you will not be able to log into the domain.  Now - unlike with a physical computer - it is actually quite easy to go 90 days without logging into a virtual machine that you setup to test one specific thing.

  2. You 'undid' an account detail change.

    When a computer is joined to a domain - the domain controller creates and manages an account for that computer.  Now - for security purposes - details of this account are periodically updated by the domain controller and pushed down to the computer.  If this happens - and you then 'undo' the changes (by having undo disks enabled and choosing to delete them) then the domain controller will no longer trust your virtual machine.

In either situation the only solution is to login to your virtual machine using the local administrator account, leave the domain and then join it again.

Cheers,
Ben

Leave a Comment
  • Please add 3 and 2 and type the answer here:
  • Post
  • Some tips:

    1)  When rejoining the domain, if you just enter the netbios name of the domain instead of disjoining, then click Join Domain, you will do a simultanous Disjoin/Join operation and only reboot once.
    2)  If you know this machine is going to be offline for extended periods of time, and you don't want the hassle of a domain rejoin, you can  follow the directions here:  http://support.microsoft.com/kb/175468 to disable the changing of the machine's password.
  • Actually, client machines are responsible for changing the machine account password on the domain controller. Or at least, that's how it's been documented to work for years. Are you saying that this has changed, and that machine account passwords are now forcibly expired by domain controllers?
  • Asgard -

    You are correct - sorry if my wording was confusing.  The net result is the same though.

    Cheers,
    Ben
  • This happened to me this just over the weekend.  On Friday I was using the Virtual PC.  Come in on Monday morning and now I get the domain membership issue.

    Your resolution fixed the issue but neither of the 2 reasons seem to be the cause.
  • Hi, I have a similar problem, I can join the domain everytime without no problems, my problem is for example when I want to add a User to lets say, folder sharing, IIS users, COM+ User to roles and so on, I can see/browse the domain or other computer, just the actual virtual machine, any clue?

  • We get around this problem by having an AD computer group that is used specifically for virtual machines (both VPC & Virtual Server). The policy for that group is set so that the computer account passwords are permanent. This prevents issues when you’ve been using a virtual machine for a while and it has negotiated a new account password, and then you whack the undo disk and restore it to a previous state with a previous password. We put all the virtual machines in that domain group. You have to put the computers in manually, but you only do that once.
  • I could not create a member server in a domain called abc.com . It shows the error msg while I try to join as a client with a another virtual server 2003.. what is the reason behind it?

Page 1 of 1 (7 items)