Hi,

it is always a bad thing to revert a active directory from a clone or snapshot.

Check out this article that describe the issue.

If you not have any Windows Backup from that AD Machine, then you are lost.

Frank

http://professionalvmware.com/2009/06/active-directory-machine-accounts-and-vmware-clones-and-snapsh...

rameuniver wrote:

Hi,

We are running Active Directory and DNS Server on the Same Windows Server 2008 R2 as Virtual Machine on vSphere 5 Platform. Since it is for College environment every

month we have to delete or create 1000 users. Recently iSCSI based Storage which is used to store the Virtual Machines (Includes Active Directory VM also) is

corrupted. Then we have restored the Active Directory Server from the Clone image (of Active Directory) which was taken in Dec 2012. But now all the client machines

are unable to authenticate through Active Directory. If we rejoin the client machines to Active Directory, then the authentication successful. But in this way we have

to rejoin the 5000 Client machines which will take more than 10 days to complete.

1) Is there any alternative solutions to make Client machines authenticated through Active Directory without rejoining to domain?

2) Why there is a change in a client machines behavior even after restoring the Clone of the existing Active Directory VM?

The reason why authentication is failing is because the workstations have reset their machine passwords more recently than the backup that you have of Active Directory.  Active Directory has whatever the machine account passwords would have been in December, and authenticaion is failing.  When this happens, the workstation loses its trust relationship with the domain, and that computer has to be readded to the domain.

Sorry... I don't think you have any recourse.

Here is an article from the Active Directory team that goes into a little more detail about how computers periodically reset their machine credentials:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

rameuniver wrote:

1) Is there any alternative solutions to make Client machines authenticated through Active Directory without rejoining to domain?

As others has pointed out the reason for lack of client access is that the computers passwords is changed every 30 day by default. If you have no more recent backup of the domain controller than about 6 months than only rejoin or computer password reset is possible.

It might be a bit late to point out, but Active Directory is meant to not be a single point of failure. You should always have at least two copies of the directory services database, i.e. two domain controllers replicating all information for load balancing and fault tolerance.

In your case now you might look at the netdom.exe command line tool. It is possible to join machines / reset machine password remote if you know the local administrator password. This might save you some time instead of physically rejoining every pc.