Provisioning Server offers you the ability maintain Active Directory machine account password synchronization for target devices. This ability is enabled on the Provisioning Server and is configured on a per virtual disk basis.
Private virtual disks do not need to maintain Active Directory machine account password synchronization, as they are a read write virtual disk, and have the ability to retain changes and store them to the virtual disk.
Standard virtual disks do need to maintain Active Directory machine account password synchronization, as they are read only, and do not have the ability to retain changes on the virtual disk.
There are some things to take into consideration when dealing with Provisioning Server and Active Directory Machine Account Password Synchronization for a successful implementation of this feature. The following are some guidelines and best practices to follow:






If the virtual disk image that is going to created is to be used by multiple target devices, in Standard Image mode, it is best practice, that before creating a virtual disk image, to run the Device Optimizer utility on the target device and apply the “Disable Machine Account Password Changes” setting If the virtual disk image that is going to created is to be only be used in Private Image mode and never Standard Image mode, the “Disable Machine Account Password Changes” setting does not need to be applied








When creating virtual disks that will ever be used as Standard virtual disks, it is best practice, to never create a target device that will have a device name of an existing machine account in Active Directory that is, has, or will ever be running off of local disks, and is ever going to be provisioned as a Standard Virtual Disk








When creating virtual disks, it is best practice, to ensure that the Active Directory setting for “Enable automatic password support” is configured on the Provisioning Servers








When creating virtual disks, it is best practice, to ensure that the “Enable Active Directory Machine Account Password Management” setting is configured on Standard Virtual Disks








Also, it is best practice to use an Active Directory Organizational Unit to manage machine accounts for target devices that will be provisioned, and that the Group Policy Object or Security Policy setting for the Organizational Unit is set to enable the “Disable Machine Account Password Changes” setting to disable Windows Active Directory automatic password re-negotiation.








And lastly, it is best practice to ensure that the Group Policy Object or Security policy setting for that Organizational Units “Maximum machine account password age” setting is compared to the Provisioning Server Active Directory setting for “Enable automatic password support” setting. The Provisioning Server Active Directory setting for “Enable automatic password support” number of days must be less than the Group Policy Object or Security policy setting for that Organizational Units “Maximum machine account password age” setting or you could end up in a scenario where the machine accounts would not able to log on to the domain due to this restriction being in place.








If you should ever encounter a situation where the active directoy machine passwords are out of sync, in provisioning server 4.x and below there is a command line utility for reseting machine accounts. In provisioning server 5.x this has been incorporated into the management console.








Following these best practices will help you keep synchronization between Active Directory Machine Accoutns and Provisioned Target Devices that are using a Standard Virtual Disk. With the use of Provisioning Server with XenServer and XenDesktop, these best practices are also applicable, as those technologies are also used to delivery devices that may need Active Directory Machine Account Password Synchronication.