ghost imaging and domain trust question
I have 6 laptops that I have ghost images of. Occasionally, every 4-6 weeks, I restore each image to each respective laptop, add any new software/patches/updates, and re-image the laptops and a now newer image. This keeps my laptops in top running condition since they are regularly checked out and people install software, make changes, etc. I call this my 'refresh' process.
Here is my problem. Occasionally when I restore an image and then reboot and try to login to our network, I get a domain trust error. Easy enough to fix because all I have to do is login locally, unjoin the domain, rejoin the domain (and authenticate) and then I'm good to go.
Is this preventable or is this happening because when I restore an image to my laptop that 'image' is several weeks old and somehow the domain sees it as a trust issue? Is there a way to fix this?
Here is my problem. Occasionally when I restore an image and then reboot and try to login to our network, I get a domain trust error. Easy enough to fix because all I have to do is login locally, unjoin the domain, rejoin the domain (and authenticate) and then I'm good to go.
Is this preventable or is this happening because when I restore an image to my laptop that 'image' is several weeks old and somehow the domain sees it as a trust issue? Is there a way to fix this?
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
dlernstrom
17 years ago
I don't believe there is a way around your issue. We use VMWare at our site as part of our test lab. VMWare has the capability of taking a snapshot of a machine and then allowing you to jump to that exact snapshot in a matter of seconds. When we snapshot a machine, if sufficient time goes by without turning on the vm, the domain will not allow it to connect. This seems to be the exact issue you are faced with.
Our workaround is very similar to yours.
Our workaround is very similar to yours.
Posted by:
fosteky
17 years ago
I think that as part of your "refresh" process, since you're not sysprepping, and you're using a computer joined to your domain to make your image that you should get the MS utility NETDOM (can't remember where this is - some Windows Server resource kit) and use it when upgrading the laptop image. Use NETDOM like so:
NETDOM RESET <computer_name> /domain:<your_domain>
This is a way of manually triggering a refresh of the (domain trust token?).
I believe this should work. Every (21?) days PCs quietly negotiate a new security token from the DC, you're capturing this in your image and by the time you use your image the security token (in the image) has become staledated (because the live PC has negotiated a new one).
Hope that helps.
-Actually, it won't help unless you refresh your laptop fleet every 20 days or less. Nevermind. Might help dlernstrom though (refresh your VPCs every 20 days or less - start them, NETDOM them, resnapshot)
NETDOM RESET <computer_name> /domain:<your_domain>
This is a way of manually triggering a refresh of the (domain trust token?).
I believe this should work. Every (21?) days PCs quietly negotiate a new security token from the DC, you're capturing this in your image and by the time you use your image the security token (in the image) has become staledated (because the live PC has negotiated a new one).
Hope that helps.
-Actually, it won't help unless you refresh your laptop fleet every 20 days or less. Nevermind. Might help dlernstrom though (refresh your VPCs every 20 days or less - start them, NETDOM them, resnapshot)
Posted by:
smason
17 years ago
There are a couple of ways to prevent the secure channel password resets.
I had a problem with my packaging PC when I revert to by base snapshot with VMWare Workstation.
I forget which method I used, but see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q175468
Edit:
Now I remember. In group policy on my VMWare instances, I set Domain member:Disable machine account password changes to enabled.
Steve
I had a problem with my packaging PC when I revert to by base snapshot with VMWare Workstation.
I forget which method I used, but see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q175468
Edit:
Now I remember. In group policy on my VMWare instances, I set Domain member:Disable machine account password changes to enabled.
Steve
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
