home lab

Prevent Domain Trust Relationship Failed with Snapshots in a Lab

Have you ever wondered how to Prevent Domain Trust Relationship Failed with Snapshots in a Lab environment? We look at a registry setting that can help

If you have ever worked in a lab environment for any time period, VMware snapshots are a great feature to leverage for quick rollback and testing. As most of you already know, snapshots allow you to have a “picture” of a virtual machine (including even memory) at a particular point in time. If you keep snapshots on a server/workstation for any number of days and need to rollback, you may run into domain trust relationship issues after reverting the snapshot. In this post, we will see how you can effectively prevent domain trust relationship failed with snapshots in a lab.

What Causes Trust Relationship Failed Issues?

By design, a server/workstation that is joined to a Windows 2000 domain and higher, domain joined nodes will reset their computer password with the domain every 30 days.

This is behavior that happens in the background. You do not have to proactively perform this operation as it is carried out by the machine itself with the domain controller.

Now, think about the situation of running a snapshot on a server/workstation in a lab environment. If you create a snapshot for rollback purposes on a server and run on that snapshot for a period of 30 days or more, in the meantime, the server will change its password with the domain. Then, if you choose to rollback to the snapshot, you are essentially going back in time to the server thinking its password with the domain is the old password, unaware of the new password that has been issued with the domain.

After reverting the snapshot back in time and trying to login to your workstation/server, you will see the infamous: The trust relationship between this workstation and the primary domain failed.

Domain-trust-relationship-error-after-reverting-to-a-snapshot
Domain trust relationship error after reverting to a snapshot

It is easy to see the circumstances that lead up to the trust relationship being broken in a lab environment where you may be leveraging snapshots for various testing. Is there a way to prevent this behavior in a lab/testing environment?

Prevent Domain Trust Relationship Failed with Snapshots

In case you are not aware, up until looking into this, like me, you may not know there is actually a Group Policy setting that can be used to prevent the resetting of computer passwords in the domain.

The policy setting:

  • Domain controller: Refuse machine account password changes

You can also use a registry setting on your domain controllers for this purpose. The registry key that can be set on your domain controllers:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameter
  • DWORD – RefusePasswordChange
  • Create and set the value to 1

When the setting is configured on a domain controller, it will still receive the password change requests from the domain-joined server/workstation, however, as the name implies, it will refuse to reset the password. This will leave the domain join intact basically forever with the same password.

Disclaimer

Do not use this in production environments. This can present a huge security risk for an attacker to compromise your environment. This should only be considered with lab/dev/test environments.

Read fully the Microsoft explanation and implications of this setting here:

Rolling Out Refuse Password Change

You can easily roll out the RefusePasswordChange DWORD value with a simple registry file like below and sneakernet this to your DCs.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters]
"RefusePasswordChange"=dword:00000001

Use Ansible to Roll Out Refuse Password Change

For those that may want to automate this across a lab environment with many DCs, you can easily use something like Ansible to do the trick. You can create the registry key above with the following YAML code in an Ansible playboook:

---

- win_regedit:
    path: HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters
    name: RefusePasswordChange
    data: 1
    type: dword

Final Thoughts

If you are like me and want to Prevent Domain Trust Relationship Failed with Snapshots in a Lab, you can easily do this with the referenced registry key or group policy setting for your domain controllers.

Lab environments present special challenges to infrastructure since often, they are rinse and repeat environments that require leveraging snapshots and other non-production mechanisms.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.