7

I have a number of virtual machines which have snapshots applied by using a PowerShell script. Occasionally, the virtual machines lose their "trust relationship" with the domain. This breaks the script as I can no longer use PowerShell remoting to get into the machines and configure them.

How can I remotely reset the trust relationship of these virtual machines? Perhaps there are possibilities for rejoining the domain that don't involve remoting?

Any alternate solutions to manually rejoining the domain require logging in to the computer and doing this locally. I haven't found anything that can do this otherwise.

So far, I've attempted to put together a script that simply remotes into the box as the local administrator:

$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential ("Administrator", $password)
$sesh = new-pssession -computername "theMachine" -credential $cred

At this point, I was hoping to use PowerShell to reset the password or something like that to reset the domain trust relationship. However, this results in an error on the last line: Access is Denied.

I don't think you can use the local administrator account with PowerShell remoting. Is there any other way I can remotely get a virtual machine that has lost its domain trust relationship to rejoin the domain?

tnw
  • 213
  • 1
  • 3
  • 9
  • If this is going to be a constant issue, you may want to look at setting the GPO to not change the computer passwords. – Rex Sep 23 '13 at 16:54

1 Answers1

10

This happens because domain-joined computers automatically change their machine account passwords every 30 days. The client initiates its own password change and stores it in Active Directory. When you revert to a snapshot from a time before the last machine account password change, then the password stored in AD no longer matches the password that the computer is trying to use to log on to the domain.

To disable machine account password changes on the client computer:

1. Start Registry Editor.
2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. In the right pane, click the DisablePasswordChange entry.
4. On the Edit menu, click Modify.
5. In the Value data box, type a value of 1, and then click OK.

Also,

I don't think you can use the local administrator account with PowerShell remoting

Yes you can. You just can't use Kerberos. And since there's no mutual authentication without Kerberos, you need to add the remote computer to your list of Trusted Hosts in order to be able to use Powershell Remoting to get to it.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Excellent answer! I will try this... I won't be sure if it works until the password expiration ticks over again, but I'll accept this. Thank you! – tnw Sep 24 '13 at 18:08
  • Don't forget that since you made a change to the registry, you will need to restart the NetLogon service for the change to take effect. – Ryan Ries Sep 25 '13 at 17:30