"Windows cannot connect to the domain" when trying to logon to a virtual machine that has been offline or reverted to a snapshot
Issue
When trying to logon to the virtual machine the following error is reported:
"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found."
The system Event log reports the following errors:
Event ID: 3210
"This computer could not authenticate with \\dc.domain.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator."
Event ID: 40960
"The Security System detected an authentication error for the server cifs/dc.domain.com. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)"."
Event ID: 40960
"The Security System detected an authentication error for the server LDAP/dc.domain.com/domain.com@domain.com. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)"."
On a Microsoft Windows NT-based host the computer account passwords are regularly changed for security purposes. By default, on Windows 2000/2003-based hosts, the computer account password automatically changes every 30 days.
The security channel's password is stored together with the computer account on the primary domain controller (PDC), and is replicated to all backup domain controllers (BDCs). The password is also in LSA secret $MACHINE.ACC of the host .
If the password is not changed for "MaximumPasswordAge" days the machine account becomes invalid, denying domain logon.
If a machine is reverted to a previous snapshot the secure channel password on the host could differ from the copy held by domain controllers, denying domain logon.
Resolution
Disable computer account password changes on the affected host and rejoin the domain:
HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
"DisablePasswordChange"=dword:00000001
References
Effects of machine account replication on a domain
http://support.microsoft.com/kb/175468
Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/kb/888794
In Windows XP and Windows Server 2003, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:
In Group Policy Editor (Gpedit.msc):
- Expand Local Computer Policy | Windows Settings | Security Settings | Local Policies | Security Settings | Local Policies | Security Options.
- Domain Member: Disable machine account password changes (DisablePasswordChange)
- Domain Member: Maximum machine account password age (MaximumPasswordAge)
- Domain Controller: Refuse machine account password changes (RefusePasswordChange)
Products
Microsoft Windows XP Embedded (any)
Microsoft Windows XP SP2
Microsoft Windows XP (any)
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 RTM
Microsoft Windows Server 2003 (any)
Microsoft Windows 2000 SP4
Microsoft Windows 2000 (any)
Created: 14th August 2007
Updated: 14th August 2007
© 2005-2024 Jamie Morrison