2,187
edits
Difference between revisions of "Troubleshooting (Virtual Machine)"
Jump to navigation
Jump to search
Troubleshooting (Virtual Machine) (view source)
Revision as of 10:33, 2 July 2012
, 10:33, 2 July 2012→Snapshots: Added "Revert to Snapshot Causes Trust Relationship Failure"
m (→Can't Connect to VM Console: Fixed restart the management services link) |
(→Snapshots: Added "Revert to Snapshot Causes Trust Relationship Failure") |
||
| Line 186: | Line 186: | ||
#* EG <code> scsi0:0.fileName = "MyVM-flat.vmdk" </code> ←←←←←← Base disk file ''(no snapshot running)'' | #* EG <code> scsi0:0.fileName = "MyVM-flat.vmdk" </code> ←←←←←← Base disk file ''(no snapshot running)'' | ||
# If there's no snapshots running, but snapshot files exist then the files can be deleted (if you're sure!) | # If there's no snapshots running, but snapshot files exist then the files can be deleted (if you're sure!) | ||
=== Revert to Snapshot Causes Trust Relationship Failure === | |||
When reverting a VM that is a member of a Windows domain to a snapshot you can get the following errors at boot up or when trying to logon | |||
* '''The trust relationship between this workstation and the primary domain failed''' | |||
* '''Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.''' | |||
The problem is caused by the VM's computer account, which is used by the domain client/snapshotted machine to access the domain controller, having an invalid password. Domain member servers periodically change the password they use to connect to the domain with (by default every 30 days). So if a VM is snapshotted, then following that updates its computer account password; on a revert to snapshot it will revert to the old invalid snapshot and be unable to login to the domain. | |||
* '''To resolve:''' | |||
*# The machine needs to be taken off the domain, and put back on (you'll need a domain account with rights to do this) | |||
* '''To prevent:''' - see note below | |||
** Disable machine account password changes | |||
**# On the domain member machine update the registry | |||
**# <code> HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\DisablePasswordChange </code> to <code>1</code> | |||
** Reduce machine account password change frequency | |||
**# On the domain member machine update the registry | |||
**# <code> HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge </code> to a higher value (in days), eg <code>60</code> | |||
{| class="vwiki-note" | |||
|- | |||
! The prevention options reduce domain security | |||
|- | |||
| They should only be actioned if you understand the risks and are not breaching any security policies that are in force. | |||
If its not a regular occurrence, its probably best to just live the problem, and resolve when required. Snapshots should be allowed to run for many days in normal operation, which means that the problem should not occur frequently in a well run environment. | |||
|} | |||
Further reading... | |||
* http://blogs.msdn.com/b/mikekol/archive/2009/03/18/does-restoring-a-snapshot-break-domain-connectivity-here-s-why.aspx | |||
* http://www.petri.co.il/working-with-domain-member-virtual-machines-and-snapshots.htm | |||
== Can't Customise == | == Can't Customise == | ||