Issues with domain membership after a system restore

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q295049
This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
You may experience the following behaviors:
  • If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed.
  • If you use System Restore after the password change interval expired two times, and you restore the computer to a point before the password changes, the domain users accounts on the computer are disabled, and users receive an error message when they try to log on.
CAUSE
When you join a computer to a domain, a computername$ account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days (MaximumPasswordAge).

The behavior that is described in the "Symptoms" section occurs because System Restore only rolls back the local computer state. Part of the information about joining domains resides in the Active Directory directory service, and System Restore does not roll back Active Directory.

For the first symptom, the delayed password change occurs because System Restore rewrites the LSA secret with the password with the same values. This rewrite updates the time stamp on the secret that the Netlogon service uses to decide about the password change time stamp. For the second symptom, there is no locally stored password that matches the machine account password in Active Directory.
RESOLUTION
To resolve the first symptom, wait for the computer to change the password, or force the comoputer to change the password immediately. To force a password change, run the nltest /sc_change_pwd:domain command. The nltest command is part of the Windows Support Tools.

To resolve the second symptom, use one of the following methods:
  • Remove the computer from the domain, and then readd it to the domain.
  • Undo the restoration.
STATUS
This behavior is by design.
MORE INFORMATION
The passwords for a particular computer account are valid for its particular join. For each computer that is a member of a domain, there is a discrete communication channel with a domain controller. This discrete communication channel is also known as the secure channel. The password for the secure channel is stored with the computer account on all domain controllers. For Microsoft Windows 2000 or Microsoft Windows XP, the default computer account password change period is every 30 days. If the computer account's password and the Local Security Authority (LSA) secret are not synchronized, the Net Logon service logs error messages.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
216393 Resetting computer accounts in Windows 2000
251335 Domain users cannot join workstation or server to a domain
260575 How to use Netdom.exe to reset machine account passwords
175468 Effects of machine account replication on a domain
Properties

Article ID: 295049 - Last Review: 12/06/2015 01:52:43 - Revision: 4.1

Microsoft Windows XP Professional

  • kbnosurvey kbarchive kbnetwork kbprb KB295049
Feedback