Error connecting to domain - Page 2 - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 12-21-2006, 02:22 PM   #11 (permalink)
Master Techie
 
Join Date: Oct 2003
Posts: 2,258
Default

Warez,

Please note that I am an automation engineer for Windows 2k and XP deployments and that I have been supporting enterprise networks for the last 7 years, so may be what I know doesn't apply to your realm of expertise, but I do know what I'm talking about.

In Windows 2003 domains, the machine as well as users all maintain an authenticated state to the domain. This allows for multiple layers of security that will allow them to either be allow from the machine and the user, but not singularily. I.E, you can't take a machine that isn't part of the domain and hope to log onto the domain with your network account. The machine has to be part of the domain to do that. same goes for an account. You can't attempt to logon to a machine without an account, and you can't use a network account to logon to a machine that you are not conected to network and domain with.

anyway, if you setup a domain, the default behavior of that domain is ussually tailored to a security requirement you or a security minded person defines. Let's take ours for example.
in our network, if a machine is offline for 60 days and attemps to reconnect to the network, the machine will not be allowed on, cause we expired the machine account. This is a security step to prevent machines that have not gotten updates from antivirus or Windows update from coming back in and infecting the rest of the network.
anyway, from what I was getting from the poster, what he has done, was capture and image of this machine from a few weeks ago. No sysprep involved or anything, just a straight backup fo this machine. His intention was to use that image to restore the same machine back to a working state from several weeks previous. This is done a lot, and oftern, by here is the problem.
The domain and machine password, that allows the machine to comunicate with the domain, was changed automatically after a period, 7 days I think is the default. Anyway, since the domain had updated the machine within the time period, as the machine was online and could be updated, the system had a new password for that machine. Meaning that when he restored the amchine to a previous state, before the password was changed, the trust relationship could not be restored to that machine due to the password not being what it (the domain) was looking for.

This is very common in VMware environments, like the one we use for scripting and testing applications. If you revert you VMware system to far back, you loose the domain conection, cause the passwords are not the same any more.

Also, this kind of applicaiton is done in a lot of environment, it's actually something symantec did with Ghost enterprise a long time ago, and it work wonderfully when setup and maintained. They only problem is making sure you don't go back beyond the password cycle, or you keep up with it.

hope that clears up what I was saying.
__________________

Inaris is offline  
Old 12-21-2006, 02:28 PM   #12 (permalink)
Newb Techie
 
Join Date: Dec 2005
Posts: 35
Default

Quote:
Originally posted by Inaris
In windows domains, you can't use images to restor the machine to a previous state that is older than I think 7 days. The domain and machine have a relationship that uses a password to keep them together. when the domain cycles the password, and the machine doesn't update, the machine will not beable to get back on the domain until they are synced. Basically, do what Warez said to get it back online. Also, don't let your backups fall that far behind, or extend the machine password cycle to a longer period.
How do you "extend the machine password cycle to a longer period"?
Thanks.
__________________

paulinnorway is offline  
Old 12-21-2006, 02:32 PM   #13 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Quote:
Originally posted by paulinnorway
Everything is working properly again
Thanks a million for the help......much appreciated!
Welcome

Inaris

I see what you mean, thanks
__________________
Osiris is offline  
Old 12-21-2006, 02:35 PM   #14 (permalink)
Master Techie
 
Join Date: Oct 2003
Posts: 2,258
Default

from: http://support.microsoft.com/kb/175468
THIS IS ONLY FOR NT4 DOMAINS. NOT AD DOMAINS (2000 OR 2003)

Windows XP and Windows Server 2003
In Microsoft Windows XP and later versions, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:1. Click Start, click Run, type Gpedit.msc, and then press ENTER.
2. Expand Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Settings, expand Local Policies, and then expand Security Options.
3. Configure the following settings:• Domain Member: Disable machine account password changes (DisablePasswordChange)
• Domain Member: Maximum machine account password age (MaximumPasswordAge)
• Domain Controller: Refuse machine account password changes (RefusePasswordChange)
Inaris is offline  
Old 12-21-2006, 02:55 PM   #15 (permalink)
Newb Techie
 
Join Date: Dec 2005
Posts: 35
Default

Quote:
Originally posted by Inaris
from: http://support.microsoft.com/kb/175468
THIS IS ONLY FOR NT4 DOMAINS. NOT AD DOMAINS (2000 OR 2003)

Windows XP and Windows Server 2003
In Microsoft Windows XP and later versions, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:1. Click Start, click Run, type Gpedit.msc, and then press ENTER.
2. Expand Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Settings, expand Local Policies, and then expand Security Options.
3. Configure the following settings:• Domain Member: Disable machine account password changes (DisablePasswordChange)
• Domain Member: Maximum machine account password age (MaximumPasswordAge)
• Domain Controller: Refuse machine account password changes (RefusePasswordChange)
Great! Thanks a lot.
__________________

paulinnorway is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 06:03 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.