Cyber IT
asked on
Hyper-V server hosting VMs
The VMs on these hosts lose connection to the domain. The only way to get them back is to take them off the domain, put them back on and then Im able to log onto it with my domain account.
Question here is: why/how does it lose the connection to the domain. These VMs were on the domain one day, the next day they lost connection. They were good for about 30 days.
Please help!
Question here is: why/how does it lose the connection to the domain. These VMs were on the domain one day, the next day they lost connection. They were good for about 30 days.
Please help!
Is the Domain a VM too?
ASKER
there are three domain controllers. i believe ONE of them is a VM.
ASKER
actually, (2) of them are VMs.
dc1 - physical
dc2 - virtual (in a different building)
dc3 - virtual on an ESX Cluster
dc1 - physical
dc2 - virtual (in a different building)
dc3 - virtual on an ESX Cluster
Are you losing network connectivity, or just authentication to the domain? Can you still ping the DCs when this happens?
ASKER
I can still PING and RDP to the VMs. I just cant log onto the VMs under my domain account. I can log on as the local admin, thank goodness.
When logged in as the local admin, can you ping the DCs from the VM? What happens when you attempt to log in as a domain account?
ASKER
You cant log on with a domain account. It doesnt see the domain.
During these incidents, can you ping the DCs from the VM when logged in as a local admin?
If it helps you, I chased a similar issue last year. It was the time set on one of the DC. The DC in error was not sync’ing it’s time with the rest of the Domain.
ASKER
I believe the following is the issue:
The reason for this is that there is a computer account password mismatch. The VM thinks that its machine account password is something X, while the domain controller believes it to be something Y. Because of this, the VM cannot authenticate itself to the domain controller(s).
Just like user account passwords, computer account password is a "secret" that is set up by the computer account, and that is used when a domain member computer authenticates itself to the domain controller and establishes a secure channel.
When the computer is started, a service called NetLogon uses the machine account password and tries to establish a secure session with the domain controller. The usual CTRL+ALT+DEL Winlogon process also relies on this authenticated secure channel to send user credentials to the domain controller for verification and log them into the computer. Other services running on this machine that work with the LocalSystem or NetworkService credentials also require this authenticated secure channel to get access to domain resources.
The reason for this is that there is a computer account password mismatch. The VM thinks that its machine account password is something X, while the domain controller believes it to be something Y. Because of this, the VM cannot authenticate itself to the domain controller(s).
Just like user account passwords, computer account password is a "secret" that is set up by the computer account, and that is used when a domain member computer authenticates itself to the domain controller and establishes a secure channel.
When the computer is started, a service called NetLogon uses the machine account password and tries to establish a secure session with the domain controller. The usual CTRL+ALT+DEL Winlogon process also relies on this authenticated secure channel to send user credentials to the domain controller for verification and log them into the computer. Other services running on this machine that work with the LocalSystem or NetworkService credentials also require this authenticated secure channel to get access to domain resources.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I also found out that there were snapshots being reverted back.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.