Every now and then a particular issue creeps into focus. A VM is reverted to a previous snapshot and domain membership is broken. Or a new VM is created using a base image that is domain joined. Or some other related scenario.
The first point to always remember is that a snapshot is a moment in time. When you revert to a snapshot you go back to that previous moment in time and all of the settings that were active at that point in time (as far as the OS in the VM is concerned).
This most commonly manifests itself with machines that are domain joined at the time the snapshot was taken, then the machine runs for a period of time, during this time the machine account password is changed. Thus when the VM is reverted to a previous snapshot the machine account password in the VM no longer matches the machine account password in Active Directory.
The machine is denied access to domain resources, but runs, it has a machine account in Active Directory. Nothing looks out of place until the access denied behavior is noticed either by users or through trolling Event Logs.
There is some good background information from the Directory Services blog about machine accounts and Active Directory that you can review here: Machine Account Password Process
There are two ways to deal with this situation:
- Un-join the VM form the domain, delete the computer account from AD, and then re-join the Domain.
- Prevent machine account password from changing prior to taking any snapshots: Disable machine account password changes
Keep in mind – the machine account passwords are designed to change silently in the background for a reason. To prevent an un-trusted, malicious machine from impersonating a trusted machine and thus gaining access to your domain. So don’t take changing this default behavior lightly. By modifying this default behavior you are making a conscious decision to increase risk and decrease security in your environment.