Issues with domain membership after a system restore

Article ID: 295049 - View products that this article applies to.
This article was previously published under Q295049
Expand all | Collapse all

SYMPTOMS

You may experience the following behaviors:
  • If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed.
  • If you use System Restore after the password change interval expired two times, and you restore the computer to a point before the password changes, the domain users accounts on the computer are disabled, and users receive an error message when they try to log on.
Back to the top | Give Feedback

CAUSE

When you join a computer to a domain, a computername$ account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days (MaximumPasswordAge).

The behavior that is described in the "Symptoms" section occurs because System Restore only rolls back the local computer state. Part of the information about joining domains resides in the Active Directory directory service, and System Restore does not roll back Active Directory.

For the first symptom, the delayed password change occurs because System Restore rewrites the LSA secret with the password with the same values. This rewrite updates the time stamp on the secret that the Netlogon service uses to decide about the password change time stamp. For the second symptom, there is no locally stored password that matches the machine account password in Active Directory.
Back to the top | Give Feedback

RESOLUTION

To resolve the first symptom, wait for the computer to change the password, or force the comoputer to change the password immediately. To force a password change, run the nltest /sc_change_pwd:domain command. The nltest command is part of the Windows Support Tools.

To resolve the second symptom, use one of the following methods:
  • Remove the computer from the domain, and then readd it to the domain.
  • Undo the restoration.
Back to the top | Give Feedback

STATUS

This behavior is by design.
Back to the top | Give Feedback

MORE INFORMATION

The passwords for a particular computer account are valid for its particular join. For each computer that is a member of a domain, there is a discrete communication channel with a domain controller. This discrete communication channel is also known as the secure channel. The password for the secure channel is stored with the computer account on all domain controllers. For Microsoft Windows 2000 or Microsoft Windows XP, the default computer account password change period is every 30 days. If the computer account's password and the Local Security Authority (LSA) secret are not synchronized, the Net Logon service logs error messages.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
216393
(http://support.microsoft.com/kb/216393/ )
Resetting computer accounts in Windows 2000
251335
(http://support.microsoft.com/kb/251335/ )
Domain users cannot join workstation or server to a domain
260575
(http://support.microsoft.com/kb/260575/ )
How to use Netdom.exe to reset machine account passwords
175468
(http://support.microsoft.com/kb/175468/ )
Effects of machine account replication on a domain
Back to the top | Give Feedback

Properties

Article ID: 295049 - Last Review: March 30, 2005 - Revision: 4.1
APPLIES TO
  • Microsoft Windows XP Professional
Keywords: 
kbnetwork kbprb KB295049
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top