VM - Windows domain machine trust relationship fails
Published: Vm Estimated reading time: ~2 minutes
A little background
So you’ve got some VM’s lying around for testing and whatnot. You may rollback to various checkpoints or snapshots in order to test different scenarios.
Then occasionally, you find that you can’t log onto the domain anymore because the trust relationship has been lost.
At this point, you either:
- Log on with a local admin account
- Unjoin the domain and rejoin
- Disconnect your VM’s networking
- Log in using some cached AD credentials
- Reconnect networking
- Unjoin the domain and rejoin
Either way, very annoying.
The issue is that the computer has lost trust. The computer also has a password that is regularly updated with the domain. We simply never see that in action. Behind the scenes, the Windows computer account dutifully changes its password at semi-regular intervals depending on network connectivity.
So when you roll back or sideways to another snapshot of the VM, it becomes very likely that the computer has changed its password between one snapshot and the next.
The fix is to disable the password change. Luckily, this is controlled by the local registry and not necessarily via GPO. Although, it could be overridden by GPO if a sysadmin decided to write such a policy.
Obligatory warning
WARNING: The changes proposed present a security risk and are not intended for PRODUCTION machines. This is to ease pain in development and testing scenarios only.
Also, you’re messing with the registry, which is a good way to break Windows if you don’t know what you’re doing or you’re not careful.
The fix
One-liner:
REG ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v DisablePasswordChange /t REG_DWORD /d 00000001 /f
From a .reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001
That’s it
Well, that’s it. Make sure these changes are in place prior to creating your first snapshot/checkpoint and you should (probably) be able to say farewell to the days of having trust issues – at least with your VM snapshots.
REFERENCES
https://www.petri.com/working-with-domain-member-virtual-machines-and-snapshots