Clones and Snapshots, two of the many modern day miracles to come from virtualization. No? So they’re not as cool as VMware’s vMotion, Distributed Resource Scheduling, High Availability, Fault Tolerance are they, but the are the foundation on which that magic is built. What happens to the machine in your corporate domain when you need to revert a 90 day old snapshot? What happens when you need to restore a VM from a clone that was taken six months ago?
Things break.
Some Contextual Info About Active Directory
Before we can talk about what breaks, we need to talk about why. Why? Because things do, and that is the way of it. Actually in the case of AD (Active Directory), when joining a machine to your domain, a machine account is created on it’s behalf, and as long as the machine is powered on, it’s machine password is updated automatically. Without this AD relationship, the machine will not be able to process logins, or query AD for user permissions and other access privileges.
Machine Account Password Process
For those that don’t want to read, the relevant part for us, is: "The machine account password change is initiated by the computer every 30 days by default”. Now we can start to see why reverting an old running snapshot may become problematic. The same thing if you are replacing a VM with it’s clone and that clone is more than 30 days old.
What Breaks When Going Back
From the TechNet post linked above:
“Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages.”
Basically authentication breaks. Without authentication where are you? Well Exactly.
Fixing it
If you get into this situation, the best/easiest way to fix it, is to remove your server from the domain, then rejoin it. Yes, it’s kinda that simple. While it’s simple, does not mean that it is not a pain. After all, no one wants the PHB and that annoying accountant breathing down their necks while waiting on a reboot. Best not to get into that situation, however, and to maintain your clones and snapshots. How you do that however, is an exercise left up to the end reader.
We used run into this problem all the time with our Windows guests (almost all of which have non-persistent drives), but we've now sorted this problem by disabling computer password expiry as per this MS KB (http://support.microsoft.com/kb/154501). Of course, you might not have this option in every environment.
We used run into this problem all the time with our Windows guests (almost all of which have non-persistent drives), but we've now sorted this problem by disabling computer password expiry as per this MS KB (http://support.microsoft.com/kb/154501). Of course, you might not have this option in every environment.
Grammar lesson:
it’s = contraction of “it is”
its = possessive.
You’re (not your) welcome.
LOL, thanks.