I hope this post will be really useful for the administrators who are playing up with the Homelab and development servers by testing the lot of new features. Usually In my lab environment, I will regularly take snapshot of my virtual machines running on ESXi hosts because it saves lot of time to restore to my working snapshots instead of troubleshooting the boot up issues by wasting time. Snapshots helps me to restore to my previous point which i have worked earlier day. Snapshots also helps me to restore to previous state of my working virtual machine incase if it is corrupted by any software installation.
Mostly i have faced an issue when restoring my windows domain machine to previous snapshot which was taken before 30 days. Why i am insisting the number 30 here. let me explain.By default every 30 days Active Directory server will change the machine key for each its domain members.So when you restore the snapshot which is older than 30 days , trust relation between workstation and domains fails. In production environment, you may have follow the different steps by removing the server from domain and rejoin can be solution but in lab environment, security is not an important concern. The process of rejoin the lab servers to domain will be time consuming and it lead to waste your spare time which you are spending for your lab servers. Below is the fix for the issue. Please ensure the below steps are only recommended for test and development environment. Performing this step in production definitely will be a security issue
1. Login to your domain Controller Server
2.Select Start -> Administrative Tools -> Group Policy Management
3.In the Group Policy Management console, Right-click on your Default Domain Policy if you don’t have any specific OU created for your Test and Development servers and click on Edit
4.Browse towards Computer Configuration-> Windows Settings ->Security Settings ->Local Policies -> Security Options and select the policy Domain member:Maximum machine account password age and Edit the Policy. By default it is 30 days, Click on the check box Define this policy settings and type 999 which is the maximum allowed value.
Domain member:Maximum machine account password age and Edit the Policy =999
5.Edit the policy Domain Member:Disable machine account password changes by selecting the check box Define this policy settings and select Enabled. By default ,which is Disabled.
Domain Member:Disable machine account password changes = Enabled
6.Along with above 2 group policy you may also restrict the machine account password changes using an another group policy “Computer Configuration-> Windows Settings ->Security Settings ->Local Policies -> Security Options” and Select Domain Controller:Refuse machine account password changes. Select the check box “Define this policy and Select Enabled. By default, which is disabled.
Domain Controller:Refuse machine account password changes = Enabled
7. Run the command “gpupdate /force” on all servers where the change is required to forcibly get updated with applied group policy.
All set.!!. You are unlocked from your Trust relation issue when restoring from the snapshot.I believe this is informative for you. Thanks for reading !!!