Issues with domain membership after a system restore


You may experience the following behaviors:
  • If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed.
  • If you use System Restore after the password change interval expired two times, and you restore the computer to a point before the password changes, the domain users accounts on the computer are disabled, and users receive an error message when they try to log on.


When you join a computer to a domain, a
computername$ account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days (MaximumPasswordAge).

The behavior that is described in the "Symptoms" section occurs because System Restore only rolls back the local computer state. Part of the information about joining domains resides in the Active Directory directory service, and System Restore does not roll back Active Directory.

For the first symptom, the delayed password change occurs because System Restore rewrites the LSA secret with the password with the same values. This rewrite updates the time stamp on the secret that the Netlogon service uses to decide about the password change time stamp. For the second symptom, there is no locally stored password that matches the machine account password in Active Directory.


To resolve the first symptom, wait for the computer to change the password, or force the comoputer to change the password immediately. To force a password change, run the nltest /sc_change_pwd:domain command. The nltest command is part of the Windows Support Tools.

To resolve the second symptom, use one of the following methods:
  • Remove the computer from the domain, and then readd it to the domain.
  • Undo the restoration.


This behavior is by design.

More Information

The passwords for a particular computer account are valid for its particular join. For each computer that is a member of a domain, there is a discrete communication channel with a domain controller. This discrete communication channel is also known as the secure channel. The password for the secure channel is stored with the computer account on all domain controllers. For Microsoft Windows 2000 or Microsoft Windows XP, the default computer account password change period is every 30 days. If the computer account's password and the Local Security Authority (LSA) secret are not synchronized, the Net Logon service logs error messages.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

216393 Resetting computer accounts in Windows 2000

251335 Domain users cannot join workstation or server to a domain

260575 How to use Netdom.exe to reset machine account passwords

175468 Effects of machine account replication on a domain


ID článku: 295049 – Posledná kontrola: 21. 10. 2008 – Revízia: 1