VMware Cloud Community
mschddny
Contributor
Contributor
‎06-05-2008 07:24 PM

Can't login into the domain after the vm has been powered off for a few days or more

Running esx2.54 build 38650. Created 5 xp workstations in undoable mode. The users will often commit changes before powering off the images. If the image is off for more than 3 days, the users can no longer login because the domain doesn't recognize their credentials. So we have to take the image out of active directory 2003 and then put the image back in.

Has anybody seen this behavior before? I had this with vmware workstations whose images were also part of a 2003 AD and were undoable.

I opened a support ticket with vmware but they were not to helpful. They claim it is AD. But what happems when an user leaves for vacation shuts their pc down and comes back 10 days later. I haven't aheard any problems with those users loosing credentials.

Second question can I escalate the ticket to second line help?

thanks

0 Kudos
8 Replies
Dave_Mishchenko
Immortal
Immortal
‎06-05-2008 07:39 PM

Your post has been moved to the Virtual Machine and Guest OS forum. It sounds like a problem with the computer's domain account, but that would be more an issue if the users were reverting to a snapshot rather than committing changes. Anyways the KB article to disable computer account password changes is here - http://support.microsoft.com/kb/175468.

Dave Mishchenko

VMware Communities User Moderator

mike_laspina
Champion
Champion
‎06-05-2008 08:01 PM

Hi,

The default password change values should not be an issue. However if the values have been changed you may have issues. Normally the computer account has 60 days to change before the account password will be refused and communication in the domain will halt. Please do not set the machine account to not change as it is not good in a security context. A very likely cause of this issue may be due to a time sync failure. If the time drifts to far it may refuse to communicate as well. These are all settings in the local domain controller policies.

http://blog.laspina.ca/ vExpert 2009
mschddny
Contributor
Contributor
‎06-05-2008 08:08 PM

So Mike are you saying to disregard the kb Dave suggessted and look for time sync failure settings instead?

0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎06-05-2008 08:20 PM

Look at your time settings first.

0 Kudos
mike_laspina
Champion
Champion
‎06-05-2008 08:22 PM

I'm not saying disregard Dave's suggestion. I'm saying it is not a best security practice to leave machine account passwords static. And yes check the time issue first and also check if the machine account password expire time was changed because if its that short you will have other problems on the domain.

http://blog.laspina.ca/ vExpert 2009
0 Kudos
mschddny
Contributor
Contributor
‎06-05-2008 08:34 PM

Ok this will have to wait for tomorrow for the AD guys. Our team team doesn't have access to the AD.

But I did check the local computer policy like the KB suggessted and settings were already what Microsoft said to do.

with the exception of the last which is not even defined.

0 Kudos
mschddny
Contributor
Contributor
‎06-06-2008 10:08 AM

What we found the problem to be is the images are in undoale mode and the KB article that Dave found.

For each Windows computer that is a member of a domain, there is a discrete communication channel with a domain controller

It's that password that gets out of synch.

Basically the users disgard far more than they commit changes. So that is how these passwords become mis matched.

We see 2 options available

1. take them out of the domain and leave the images in a workgroup

2. Or set in the local policy this: Refuse machine account password changes

I think we will with the workgroup.

0 Kudos
mike_laspina
Champion
Champion
‎06-06-2008 10:22 AM

I would also agree that the machine sit in a workgroup of the same name as the domain.

http://blog.laspina.ca/ vExpert 2009
0 Kudos