Comments (12)

  1. JoeCode says:

    Thank you for the excellent blog. It explained exactly to me why I was seeing that error. I am in a test environment so I have a large tree of VM's that are now broken because of a foolish step I took. I don't want to remove and join them everytime I restore them and I don't want to rebuild the tree of VMs. Is there a way to get the machine account password from my old VMs and send that password to the domain controller as my desired password?

  2. michael ong says:

    I want to say thank you for giving me a better picture of machine account passwords.   We are on the way to deploying deep freeze and this was one of the stumbling blocks that we needed to get around.

  3. JJ says:

    JoeCode, Did you find out a way to set the password on the DC?

  4. AcX says:

    I'm dealing with this problem right now, so this was some useful information for me. Thank you!

  5. cburke says:

    If you still have access to the registry *before* you restore your snapshop, you can grab the machine account password from it and then import them into the registry of the restored snapshot. I have done this successfully several times. If involved getting access to the keys via the system account. You can also automate the backup of these keys to another system, which I have also done so that I always have them ready.

  6. Chris says:

    There's a mistake in this. You don't need to change the password twice as the DC only has knowledge of the current password (after replication has completed) reverting to an earlier snapshot will break the VM after a single password change.

  7. RSA says:

    Hi ,

    I am in the exact situation now,Is there any way to execute this commands remotely.I have lost my local admin account password.

    When i try to run the above netdom commands from Admin work station,i am getting below error.

    Logon Failure: The target account name is incorrect

    The command failed to complete successfully.

    Any ideas are welcome.

  8. Jeremy says:

    Just wanted to comment that your suggestion of snapshotting and restoring a domain controller is a bad one.  If not done in a purely isolated environment it can cause restoration of deleted AD objects, corruption of existing objects and other very bad things.  Look up USN rollback for a description of this mess.  Best to keep your DCs current and fix the machines IMO.

  9. Menvert says:

    NOTE: this is the fastest way I know to resync a VM after reverting;

    NETDOM RESETPWD /server:<Domain_Controller> /UserD * /PasswordD * /SecurePasswordPrompt

    It will prompt for your account and the resync (it then takes some seconds for it to sync to your logon server depending what server you used in above command) No reboot required.

  10. Thankful says:

    Hey Menvert I've been looking for a way to do this for a while now. I'm not working on resyncing a VM to a domain controller but I have been dealing with trust relationship error issues on Win7 thin clients.

    I've been trying to find a way to use a combination of local machine credentials and domain credentials to synchronize the machine local password and the domain password for AD computer accounts.

    The NETDOM command you provided did the trick, thanks!

  11. ssathue says:

    * Method 1

    1. Log in locally

    2. Run POWERSHELL as Administrator, then

    3. Test-ComputerSecureChannel –Credential DomainUser –Repair

    4. Done

    * Method 2

    1. Log in locally

    2. Run POWERSHELL as Administrator, then

    3. Reset-ComputerMachinePassword [-Credential <PSCredential>]

    4. Reboot

  12. Md.Imran says:

    Hi ,

    This third solution is too critical for domain environment because one of the domain controller  snapshot will revert back and replicated entire configured domain.

    (3)     The final strategy is a bit sophisticated. Create your own domain controller VM and host it alongside the domain member VM you are using. Snapshot and restore both of them together so that there is never any mismatch. As a bonus, since you have your own domain controller, there are a lot of other powerful things you can do. The product I work on, Visual Studio Lab Management 2010, provides a feature called Network Isolation to make this process easier.