Have you ever restored a domain-joined machine only to discover that it is no longer connected to your domain?
Windows machines have an account in Active Directory with the name MACHINENAME$ (where MACHINENAME is obviously the name of your computer), and a randomly-generated password. This password is created when machine is joined to the domain, and then rotated every 30 days automatically.
This last part - automatic rotation - means that if you are restoring a machine from a backup (or a VM snapshot), and the backup (snapshot) is older than 30 days, the machine will no longer be able to connect to the domain, because it will have rotated the password, and the old backup has the old one.
In the past I would always disjoin and then rejoin the machine to the domain. This requires two reboots, obviously, so it is quite a time consuming action. Just recently though I was moving a virtual machine from one hypervisor to the other, and since the box was really, really big, it took a long time. The migration failed, but I booted the semi-broken machine anyway. This was a mistake - the box was broken, AND it must have been near the machine password expiration, so despite being broken, it went ahead and changed the password.
Now the original VM, while still functioning, was no longer on the domain. It was an Exchange server.
Since a lot of Exchange configuration data lives in Active Directory, I did not want to find out what will happen when I take it out of domain and rejoin it. Instead, I decided to look around for a way to reconnect the machine to the domain.
Guess what, there is actually an really easy way. PowerShell 3.0 (included with 2012 or above, a Windows Update on 2008 R2) contains this handy command: Reset-ComputerMachinePassword, which does exactly what you think it should from its name - it resets the machine password in active directory, and reconnects the box to AD.
From an elevated PowerShell 3.0 or above:
Reset-ComputerMachinePassword -Credential "DOMAIN\Administrator"
You get prompted for the admin user password (it doesn't need to be a domain admin, just a user name which has the ownership of this machine's account), and voila! Just in case, I rebooted my server, and it was back online.
Note that the command is present in PowerShell 2.0 but - alas! - it does not contain the -Credential flag, which makes it useless in this particular scenario. So you really have to upgrade the PowerShell on 2008.
Thursday, June 2, 2016
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment