Preventing VM’s From Falling Off The Domain

When working in a virtual lab continuously rolling back machine snapshots, unless you have taken steps to prevent it you may find your machines being kicked off of the domain (see here for a more detailed explanation). There’s a widely known registry tweak to prevent this happening, but if you are able to manage the domain, there is a much easier way to do this by using group policy to ensure that the setting is applied to all of your VM’s automatically.

This is the registry key (from http://support.microsoft.com/kb/154501):

  • Key: HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
  • Name: DisablePasswordChange
  • Value: REG_DWORD 1

Also, the following article shows you how to do this via group policy:

http://technet.microsoft.com/en-us/library/cc785826(v=ws.10).aspx

You can either apply the policy to a limited number of test machines in their own OU, or if the domain is strictly being used for test purposes you can just apply it to the default domain policy like I did. After setting this key, either reboot or run the command ‘gpupdate /force’ to apply the policy before taking your snapshots.

If the worst happens and you have to rejoin the domain, most people will take the machine off of the domain and join a workgroup, reboot, re-join the domain, then reboot again. However, you can skip this workgroup part altogether and save yourself an unnecessary reboot. The GUI for changing the computer name/domain will not let you press OK until you have changed the domain name or removed it. You can fool it into thinking you’ve changed it by trimming the name down to just keep the lowest level part, e.g. change ‘testlab.local‘ to just ‘testlab‘. When you press OK, it should automatically resolve the fully qualified domain name:

Changing the domain name

3 responses on “Preventing VM’s From Falling Off The Domain

  1. Why not just leave the sequencing VM in a workgroup? How many application do you sequence that actually require sequencing on a domain member?

    1. Anonymous

      Indeed, it’s probably best to just leave the sequencer off the domain in the first place.  This tip is more useful for any clients/servers you may be snapping and reverting.

  2. I can think of a reason to have the sequencer in the Domain. You may want to store all of your company’s media for sequencing on a separate system that needs to be password protected on a domain, or similarly with storing all the App-V packages that you are creating on the sequencer. It will also make it easier to move your completed packages to your App-V Management Server which should also be protected behind AD security.

Leave a Reply