Dealing with VMs, Snapshots and the dreaded broken security channel

I build a lot of scenarios for testing using Hyper-V. During that testing I use snapshots all the time to protect myself from stupid mistakes and failed changes. It is a terrific capability, but can sometimes get you in trouble.

In a perfect world, when you are working on a testing scenario that includes a DC and multiple members of the domain, when you need to snapshot one of the machines in the test scenario, you would snapshot all of the VMs in the test scenario and you would do it at the exact same instant in time. This means that all the VMs would be saved in an ideal configuration.

The problem with that perfect world is that you might want to snapshot a single machine to perform a what-if test and then be able to roll back if the idea is a bust. But if you do not snapshot all the VMs at the same instance, you run the risk of one of the machines changing it’s secure channel password during the what-if period. When you revert the changes during that session and you attempt to login, you will get an error message saying that the trust relationship with the domain controller is broken. You only option is to remove and re-add the machine to the domain.

There is a solution to this problem. You can disable the computer account from changing its secure channel password or you can change the password change window to something longer than the default 30 days. Doing so will eliminate the issue of not being able to login. Now would you want to do this in a production environment, not without fully understanding the changes and the security risks.

To make the change, open up your favorite GPO editor and go to

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Enable the Domain Member: Disable machine account password changes option

or

Edit the Domain Member: Maximum machine account password age option and increase the value from the default of 30 days to a new larger value (up to a maximum of 999 days)

Doing either of these options should keep you from getting the dreadful message that the secure channel is broken.

Hope this helps you some day…..Robert