I just came across the following question on Linkedin in group called “IT Core Infrastructure”:
Active Directory Restored from Virtual Machine Clone not authenticating
We are running Active Directory and DNS Server on the Same Windows Server 2008 R2 as Virtual Machine on vSphere 5 Platform. Since it is for College environment every
month we have to delete or create 1000 users. Recently iSCSI based Storage which is used to store the Virtual Machines (Includes Active Directory VM also) is
corrupted. Then we have restored the Active Directory Server from the Clone image (of Active Directory) which was taken in Dec 2012. But now all the client machines
are unable to authenticate through Active Directory. If we rejoin the client machines to Active Directory, then the authentication successful. But in this way we have
to rejoin the 5000 Client machines which will take more than 10 days to complete.
1) Is there any alternative solutions to make Client machines authenticated through Active Directory without rejoining to domain?
2) Why there is a change in a client machines behavior even after restoring the Clone of the existing Active Directory VM?
One DC with all FSMO roles? Latest backup is over 1 year old? I am honestly lost for words. If you would like to find out answer to his second question read on…
Any book for AD clearly states that all computer accounts are very similar to user accounts. They all have passwords, which change by default every 30 days since Windows 2000. There is a GPO setting where you can change this behaviour. Going back to the crazy scenario descried above; when they restored backup of AD, which is over 1 year old passwords stored in AD for computer accounts didn’t match the passwords on the workstations itself thus they couldn’t authenticate.
The only reasonable solution would be to fire a person responsible for this infrastructure and re-add all computer accounts again (don’t forget to reset account in AD prior to re-adding workstation).