Problems with virtual machines and domain membership

Every now and then some one will contact me for help, saying “I have a virtual machine that was working just fine – and now it refuses to log into the domain to which it is joined”.  Assuming that networking is working fine (and sometimes this is caused by someone fiddling with their network settings and not realizing the consequences 🙂 this is usually caused by the fact that the domain controllers no longer trust your virtual machine.  There can be two reasons for this to happen:

  1. Your virtual machine has not logged into the domain in quite a while.

    All Active Directory domains have a ‘time out’ value – where if a computer is not seen on the network for a given period of time – its account is deleted (okay – tomb stoned – but I am not going to go into the details on that).  This usually happens after 90 days.  If this happens you will not be able to log into the domain.  Now – unlike with a physical computer – it is actually quite easy to go 90 days without logging into a virtual machine that you setup to test one specific thing.

  2. You ‘undid’ an account detail change.

    When a computer is joined to a domain – the domain controller creates and manages an account for that computer.  Now – for security purposes – details of this account are periodically updated by the domain controller and pushed down to the computer.  If this happens – and you then ‘undo’ the changes (by having undo disks enabled and choosing to delete them) then the domain controller will no longer trust your virtual machine.

In either situation the only solution is to login to your virtual machine using the local administrator account, leave the domain and then join it again.