It is very common for people that use labs to have times where a computer loses its trust relationship with the domain. For example, if you restore the computer from backup or if you perform a restore from a snapshot in a virtualization environment, you will likely run into this problem.
For me, there are times when I need to roll-back a server to a previous snap-shot because I decided to experiment on it. Of course, before I start my experiment (otherwise known as a test of a wild idea), I take a snapshot. When my test fails (usually it is a horrible result), I need to restore from my previous snap-shot.
The issue is this: If during the time from my snap-shot to the time that I need to restore it, there is a possibility that the domain controller reset the computer account password. When I restore the computer, it no longer has the valid computer account password so it is not able to properly join the domain. I can re-join it to the domain, but it becomes a bit of a pain the rear, and I don’t want to do that on a regular basis.
So, what I do in my lab environment is to configure my domain controllers so that they do not reset the computer account passwords. This way, when I restore an older snap-shot or image, it will still properly join the domain. To configure the domain controllers, you need to use the registry editor and perform the following steps:
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Create a new REG_DWORD value named RefusePasswordChange and set it to 1
If you do a search on the Internet for RefusePasswordChange you will find several articles that explain this simple process. However, you may not have known that it existed.