Clones and Snapshots, two of the many modern day miracles to come from virtualization. No? So theyâ€™re not as cool as VMwareâ€™s vMotion, Distributed Resource Scheduling, High Availability, Fault Tolerance are they, but the are the foundation on which that magic is built. What happens to the machine in your corporate domain when you need to revert a 90 day old snapshot? What happens when you need to restore a VM from a clone that was taken six months ago?
Some Contextual Info About Active Directory
Before we can talk about what breaks, we need to talk about why. Why? Because things do, and that is the way of it. Actually in the case of AD (Active Directory), when joining a machine to your domain, a machine account is created on itâ€™s behalf, and as long as the machine is powered on, itâ€™s machine password is updated automatically. Without this AD relationship, the machine will not be able to process logins, or query AD for user permissions and other access privileges.
For those that donâ€™t want to read, the relevant part for us, is: "The machine account password change is initiated by the computer every 30 days by defaultâ€. Now we can start to see why reverting an old running snapshot may become problematic. The same thing if you are replacing a VM with itâ€™s clone and that clone is more than 30 days old.
What Breaks When Going Back
From the TechNet post linked above:
â€œEach Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages.â€
Basically authentication breaks. Without authentication where are you? Well Exactly.
If you get into this situation, the best/easiest way to fix it, is to remove your server from the domain, then rejoin it. Yes, itâ€™s kinda that simple. While itâ€™s simple, does not mean that it is not a pain. After all, no one wants the PHB and that annoying accountant breathing down their necks while waiting on a reboot. Best not to get into that situation, however, and to maintain your clones and snapshots. How you do that however, is an exercise left up to the end reader.