S h o r t S t o r i e s

// Tales from software development

What credentials should you use when joining a domain ?

with one comment

As part of our build and test environment we have a machine that runs Microsoft Virtual Server 2005 R2 and hosts a number of virtual machines (VMs). These VMs are configured with Undo disks on which all changes to the file system take place. When we’ve finished our tests we shut the VMs down and discard the Undo disks. This causes the domain that they belong to to treat the VMs as though they are inactive and after a month or so they drop off the domain. This issue is discussed in Virtual PC Guy’s blog:

http://blogs.msdn.com/virtual_pc_guy/archive/2006/03/28/561508.aspx

One of the build guys, Ed, configured and maintained our VMs but recently left the team. When I started up one of the VMs to test some new installers yesterday I followed Ed’s notes on how to rejoin the VM to the domain. There are two ways of doing this. The obvious approach is to go to Control Panel | System and select the Computer Name tab. Click the Change button to display the Computer Name Changes dialog, select the Member of Workgroup option, and then click the OK button. You will be prompted to restart the machine for the change to take effect. After doing this, repeat the process but this time select the Member of Domain option to rejoin the domain. This time, when you click the OK button you are prompted to enter security credentials. This is where the problem lies and I’ll come back to this shortly. If the credentials are accepted then you’ll see the message “Welcome to the domain-name domain”. The machine has to be restarted again for the change to take effect.

Ed had documented a very useful but less obvious way to rejoin the domain. This involves replacing the fully qualified domain name that is displayed when you first open the Computer Name Changes dialog with the netbios name. For example, when I opened the dialog the domain name was displayed as europe.corp.xxxxxxxx.com (where xxxxxxxx is the name of the company I’m working for). The netbios for this domain is EUROPE and entering this accomplishes the task of rejoining the domain with a single restart.

When you first join a domain you are prompted to supply the credentials of an account that is authorised to do this. This is a domain account with administrator permissions for the machine.

When you attempt to rejoin the domain you are also prompted to supply credentials but, and this isn’t indicated in the prompt, you are actually being asked to supply the credentials of the owner of the machine object in Active Directory, I.E. the credentials that were first used to join the machine to the domain.

The problem that I encountered was that when I entered my own credentials I got an “Access is denied” message even though I was an administrator on the machine. I tried entering the credentials that we use for all our builds as this has administrator permissions for all the machines in our team. This also failed.

After 15 minutes of trying various workarounds I admitted defeat and asked one of our infrastructure and environments experts. He immediately diagnosed it as an issue with the ownership of the machine object in the domain Active Directory. The problem was that when Ed set up the VMs he used his own security credentials and this established him as the owner of the corresponding machine object in Active Directory. Although I could remove the machine from the domain, any attempt to rejoin the domain would fail because Active Directory would match up the new request with the existing machine object that was owned by Ed’s userid.

If you have administrator permissions in Active Directory it’s possible to change the ownership of the machine object for the machine you’re trying to rejoin to the domain or to delete it. In my case I had to contact the company’s infrastructure support group and request that the objects for all our VMs be deleted.

There was one more hurdle to overcome. Presumably because of caching of Active Directory information, I still couldn’t rejoin the original domain but I could join a different domain within the organisation. After joining the REDMOND domain and restarting the machine, I was then finally able to rejoin the EUROPE domain.

When rejoining the VMs to the domain I used our build account credentials rather than my userid and password so that we wouldn’t have the same issue again when a member of the team left.

Advertisements

Written by Sea Monkey

April 24, 2008 at 9:44 pm

Posted in Environments

Tagged with

One Response

Subscribe to comments with RSS.

  1. […] need to re-add the machine to the domain as described in What credentials should you use when joining a domain ? Posted by Sea Monkey on Saturday, May 10, 2008, at 1:23 pm. Filed under Environments. Follow any […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: