Why do I have to leave & rejoin the domain to make logins work?

[Guest JoshGfromPortland]

Every so often I get the following message when trying to login with my

virtual machines: "Windows cannot connect to the domain, either because the

domain controller is down or otherwise unavailable, or because your computer

account was not found. Pleast try again later. If this message continues to

appear, contact your system administrator for assistance."

 

To fix the problem I have to leave and rejoin the domain. But I don't know

what is causing this to break. I am running Microsoft Virtual PC 2007 and

Windows XP Pro SP3 on the virtual machines. I'm fairly certain there are no

other virtual machines or physical machines with the same computer names.

 

I have also deleted all my virtuals from Active Directory, quit the domain,

then rejoined them to the domain. Again, this only solved the problem

temporarily.

[Guest kj [SBS MVP]]

Re: Why do I have to leave & rejoin the domain to make logins work?

 

JoshGfromPortland wrote:

> Every so often I get the following message when trying to login with

> my virtual machines: "Windows cannot connect to the domain, either

> because the domain controller is down or otherwise unavailable, or

> because your computer account was not found. Pleast try again later.

> If this message continues to appear, contact your system

> administrator for assistance."

>

> To fix the problem I have to leave and rejoin the domain. But I

> don't know what is causing this to break. I am running Microsoft

> Virtual PC 2007 and Windows XP Pro SP3 on the virtual machines. I'm

> fairly certain there are no other virtual machines or physical

> machines with the same computer names.

>

> I have also deleted all my virtuals from Active Directory, quit the

> domain, then rejoined them to the domain. Again, this only solved

> the problem temporarily.

 

Are you rolling back VMs (undo's) to previous states or using cloned images

without sysprep or newsid (or similar)?

 

 

 

--

/kj

[Guest JoshGfromPortland]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

I do use the undo disks feature with virtual machines. After fixing the

login problem, however, I do save the state and commit the changes to the

virtual hard disk.

 

I do not use Sysprep or anything similar to create these virtual machines.

I do reuse virtual hard drives, which might be the problem. When setting up

new virtuals, I log on locally and change the computer name first thing, but

apparently that is not good enough. Is there anyway I can reuse virtual hard

drives (VHD files) and still avoid this issue?

 

I hope that answers your question.

 

"kj [sBS MVP]" wrote:

> JoshGfromPortland wrote:

> > Every so often I get the following message when trying to login with

> > my virtual machines: "Windows cannot connect to the domain, either

> > because the domain controller is down or otherwise unavailable, or

> > because your computer account was not found. Pleast try again later.

> > If this message continues to appear, contact your system

> > administrator for assistance."

> >

> > To fix the problem I have to leave and rejoin the domain. But I

> > don't know what is causing this to break. I am running Microsoft

> > Virtual PC 2007 and Windows XP Pro SP3 on the virtual machines. I'm

> > fairly certain there are no other virtual machines or physical

> > machines with the same computer names.

> >

> > I have also deleted all my virtuals from Active Directory, quit the

> > domain, then rejoined them to the domain. Again, this only solved

> > the problem temporarily.

>

> Are you rolling back VMs (undo's) to previous states or using cloned images

> without sysprep or newsid (or similar)?

>

>

>

> --

> /kj

>

>

>

[Guest kj [SBS MVP]]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

JoshGfromPortland wrote:

> I do use the undo disks feature with virtual machines. After fixing

> the login problem, however, I do save the state and commit the

> changes to the virtual hard disk.

 

Likely this is the cause. The workstations periodically change the computer

account password every 30 days (+/- an offset). The domain controllers don't

revert but when you roll back with the undo's you end up with a mismatch.

You can do one of two things. Disable computer account password changes on

the Domain Controllers, or on the individual VM's. Both are policies. If

your network is otherwise tightly controlled this should work.

 

http://support.microsoft.com/kb/154501

>

> I do not use Sysprep or anything similar to create these virtual

> machines.

> I do reuse virtual hard drives, which might be the problem. When

> setting up new virtuals, I log on locally and change the computer

> name first thing, but apparently that is not good enough. Is there

> anyway I can reuse virtual hard drives (VHD files) and still avoid

> this issue?

 

It would be a good idea to create your virtual machines from an initial

sysprep'ed image, or run a sid changer before you introduce a new one into

the domain (newsid works nicely).

 

>

> I hope that answers your question.

>

> "kj [sBS MVP]" wrote:

>

>> JoshGfromPortland wrote:

>>> Every so often I get the following message when trying to login with

>>> my virtual machines: "Windows cannot connect to the domain, either

>>> because the domain controller is down or otherwise unavailable, or

>>> because your computer account was not found. Pleast try again

>>> later. If this message continues to appear, contact your system

>>> administrator for assistance."

>>>

>>> To fix the problem I have to leave and rejoin the domain. But I

>>> don't know what is causing this to break. I am running Microsoft

>>> Virtual PC 2007 and Windows XP Pro SP3 on the virtual machines. I'm

>>> fairly certain there are no other virtual machines or physical

>>> machines with the same computer names.

>>>

>>> I have also deleted all my virtuals from Active Directory, quit the

>>> domain, then rejoined them to the domain. Again, this only solved

>>> the problem temporarily.

>>

>> Are you rolling back VMs (undo's) to previous states or using cloned

>> images without sysprep or newsid (or similar)?

>>

>>

>>

>> --

>> /kj

 

--

/kj

[Guest JoshGfromPortland]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

Ok let me get this straight. It looks like I have four options:

 

1. Disable computer account password changes on domain controllers.

2. Disable computer account password changes on virtual machines (before I

reuse their hard drives of course).

3. Use Sysprep to help make virtual machine machines (changing the SID ahead

of time).

4. Use NewsID to help make virtual machines (changing the SID ahead of time).

 

Also, it sounds like the computer account password you are referring to is

something entirely different from the credentials I use to login. Is the

computer account password something internal and separate from my user

accounts?

 

Be well,

 

Josh

[Guest Phillip Windell]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

"kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

news:e3EM%234w$IHA.1016@TK2MSFTNGP03.phx.gbl...

> It would be a good idea to create your virtual machines from an initial

> sysprep'ed image, or run a sid changer before you introduce a new one into

> the domain (newsid works nicely).

 

Would NewSID work on an "activated" VM Image of Vista without causing Vista

to have to be reactivated or otherwise broken?

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest kj [SBS MVP]]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

JoshGfromPortland wrote:

> Ok let me get this straight. It looks like I have four options:

>

> 1. Disable computer account password changes on domain controllers.

> 2. Disable computer account password changes on virtual machines

> (before I reuse their hard drives of course).

> 3. Use Sysprep to help make virtual machine machines (changing the

> SID ahead of time).

> 4. Use NewsID to help make virtual machines (changing the SID ahead

> of time).

 

Pick either #1 or #2 *and* #3 or #4.

 

 

The computer account is credentials between the workstation and the Domain

(DC's) and is used (amoungst other things) to setup the secure channel for

(amoungst other things) authenticating user logon requests. This is what is

most likely the primary cause to your most apparent problems.

 

Having computers that have the same SID have issues all their own. You still

*should* use computers with unuiqe SIDs.

 

>

> Also, it sounds like the computer account password you are referring

> to is something entirely different from the credentials I use to

> login. Is the computer account password something internal and

> separate from my user accounts?

>

> Be well,

>

> Josh

 

--

/kj

[Guest kj [SBS MVP]]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

Phillip Windell wrote:

> "kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

> news:e3EM%234w$IHA.1016@TK2MSFTNGP03.phx.gbl...

>> It would be a good idea to create your virtual machines from an

>> initial sysprep'ed image, or run a sid changer before you introduce

>> a new one into the domain (newsid works nicely).

>

> Would NewSID work on an "activated" VM Image of Vista without causing

> Vista to have to be reactivated or otherwise broken?

 

I have not tried it on vista and don't know if it would trigger an

activation event. Make a copy and try it, then share your results. You can

always go back, right?

 

--

/kj

[Guest Phillip Windell]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

 

"kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

news:%23Z$nYXx$IHA.3380@TK2MSFTNGP04.phx.gbl...

> Phillip Windell wrote:

>> "kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

>> news:e3EM%234w$IHA.1016@TK2MSFTNGP03.phx.gbl...

>>> It would be a good idea to create your virtual machines from an

>>> initial sysprep'ed image, or run a sid changer before you introduce

>>> a new one into the domain (newsid works nicely).

>>

>> Would NewSID work on an "activated" VM Image of Vista without causing

>> Vista to have to be reactivated or otherwise broken?

>

> I have not tried it on vista and don't know if it would trigger an

> activation event. Make a copy and try it, then share your results. You can

> always go back, right?

 

I don't have Newsid, that's why I was asking. I used GhostWalker (packaged

with Ghost) to alter the SID. Ghostwalker made a mess out of Vista. So I

just never use Vista in my VirtualPC labs since I only have one Product Key

and I think it can only be activated 10 times and then it is no good

anymore. It is from an MSDN Subscription, and that Subnscrition has not been

renewed so I doubt I can get new keys.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest kj [SBS MVP]]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

Phillip Windell wrote:

> "kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

> news:%23Z$nYXx$IHA.3380@TK2MSFTNGP04.phx.gbl...

>> Phillip Windell wrote:

>>> "kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

>>> news:e3EM%234w$IHA.1016@TK2MSFTNGP03.phx.gbl...

>>>> It would be a good idea to create your virtual machines from an

>>>> initial sysprep'ed image, or run a sid changer before you introduce

>>>> a new one into the domain (newsid works nicely).

>>>

>>> Would NewSID work on an "activated" VM Image of Vista without

>>> causing Vista to have to be reactivated or otherwise broken?

>>

>> I have not tried it on vista and don't know if it would trigger an

>> activation event. Make a copy and try it, then share your results.

>> You can always go back, right?

>

> I don't have Newsid, that's why I was asking. I used GhostWalker

> (packaged with Ghost) to alter the SID. Ghostwalker made a mess out

> of Vista. So I just never use Vista in my VirtualPC labs since I

> only have one Product Key and I think it can only be activated 10

> times and then it is no good anymore. It is from an MSDN

> Subscription, and that Subnscrition has not been renewed so I doubt I

> can get new keys.

 

I only know of two issues with newsid and Vista. One, needs runas

administrator and two copied from another forum post;

----

newsid.exe runs just fine both under vista sp1 x64 and 2008 server x64 (I

tested on both).

But before running it, try to delete registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node

( REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node /f )

According to posts from some other tech. forums, this nested duplicated key

seems to be a winows bug (and in most cases it contains nothing valuable),

and I observed that newsid , as weel as some other tools enumerating

registry keys, run into infinite loop because of this stupid key.

---

 

....but it's not first hand info, so ymmv.

 

 

 

 

--

/kj

[Guest Phillip Windell]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

"kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

news:OD8GLsx$IHA.4780@TK2MSFTNGP05.phx.gbl...

> I only know of two issues with newsid and Vista. One, needs runas

> administrator and two copied from another forum post;

> ----

> newsid.exe runs just fine both under vista sp1 x64 and 2008 server x64 (I

> tested on both).

> But before running it, try to delete registry key

> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node

> ( REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node /f )

> According to posts from some other tech. forums, this nested duplicated

> key seems to be a winows bug (and in most cases it contains nothing

> valuable), and I observed that newsid , as weel as some other tools

> enumerating registry keys, run into infinite loop because of this stupid

> key.

 

 

Ok, I can give it a try. I can try it in the next couple days or so and post

back anything useful I discover in a new thread.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Phillip Windell]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

"kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

news:OD8GLsx$IHA.4780@TK2MSFTNGP05.phx.gbl...

> I only know of two issues with newsid and Vista. One, needs runas

> administrator and two copied from another forum post;

> ----

> newsid.exe runs just fine both under vista sp1 x64 and 2008 server x64 (I

> tested on both).

> But before running it, try to delete registry key

> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node

> ( REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node /f )

> According to posts from some other tech. forums, this nested duplicated

> key seems to be a winows bug (and in most cases it contains nothing

> valuable), and I observed that newsid , as weel as some other tools

> enumerating registry keys, run into infinite loop because of this stupid

> key.

> ---

 

 

I tried it out. It seemd to work just fine :-)

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest kj [SBS MVP]]

Re: Why do I have to leave & rejoin the domain to make logins work

 

Re: Why do I have to leave & rejoin the domain to make logins work

 

Phillip Windell wrote:

> "kj [sBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message

> news:OD8GLsx$IHA.4780@TK2MSFTNGP05.phx.gbl...

>> I only know of two issues with newsid and Vista. One, needs runas

>> administrator and two copied from another forum post;

>> ----

>> newsid.exe runs just fine both under vista sp1 x64 and 2008 server

>> x64 (I tested on both).

>> But before running it, try to delete registry key

>> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node

>> ( REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node /f )

>> According to posts from some other tech. forums, this nested

>> duplicated key seems to be a winows bug (and in most cases it

>> contains nothing valuable), and I observed that newsid , as weel as

>> some other tools enumerating registry keys, run into infinite loop

>> because of this stupid key.

>> ---

>

>

> I tried it out. It seemd to work just fine :-)

 

Thanks for posting back your results Phillip.

 

--

/kj