Does restoring a snapshot break domain connectivity? Here’s why.

This is a pretty common question on our internal mailing lists, and I’d imagine that it’s common outside of Microsoft as well, so I thought it would make a nice blog post (since I’m way behind on blogging…).

So, you have a VM that’s joined to a domain and working perfectly.  You take a snapshot so you can restore to this magical point of workingness at any time, and life is good.

One day, you need to fire up this VM and test something, so you revert to your snapshot and start the VM.  That’s when you’re told that the domain doesn’t trust your (virtual) workstation anymore.  What the heck just happened?  No changes were made to the snapshot!  That’s why it’s called a snapshot!  Why did this break?

Well, you’re right.  No changes were made to snapshot, and that’s part of the problem.

It’s part of the default Active Directory domain policies for a domain member to change the password for it’s account every now and then.  You’ve no doubt had to change the password for your User Account occasionally, so this shouldn’t be a surprise.  What may be a surprise is that the same thing happens for Computer Accounts.  That’s right – computers have accounts, too.

Every now and then (by default, it’s 30 days, but the value is configurable via domain policy), the workstation will negotiate a new password with the domain.  It all happens behind the scenes, so you’d never know it.  It just works.

Unless you, you know, have a domain-joined VM with snapshots.

The problem comes about because the workstation – at some point – negotiated a new password with the domain and recorded it for future use.  Then the snapshot was applied, and you turned your VM into a time traveler.  This VM from the past was brought into the future, and has no knowledge of anything that happened in the interim.  So, it thinks that it’s old password is still good.  And it tries to use that password.  And the domain says “um, no”.

Well that’s stupid. Why does Hyper-V let this happen?

It’s not just Hyper-V.  Many years ago, in my previous life as a network admin, this happened all the time to my VMWare images.  The same thing will happen in any situation where you convince Windows that the computer account password is something that it’s not (like restoring a snapshot or any other kind of backup).

Fine. What can I do about this?

There are three possibilities that I’m aware of.  If anyone has any other suggestions, please feel free to leave them in the comments.

1. If you can, change the default domain policy, or get an exception created for your computer account(s).
   This is not the best option because it opens up a security hole (small as it may be).
2. Log into a local administrator account on the system and leave the domain.  Then rejoin it.  The computer account will get updated with a new password that your workstation knows.  Alternately, you could use NETDOM.EXE to reset the computer account password.
   You could even automate this if you need to.
3. Sysprep the VM and create an unattend file that will configure it to your liking, and that will automatically join the domain for you.  Once the machine is sysprep’d, make a snapshot and restore to that one from now on.

Hope that helps.