Reputation: 47
Keep virtual machines with snapshots on domain using C#
I am trying to keep virtual machines with snapshots on the domain? At present the machines tend to drop off the domain after about 30 days if I regularly turn them off or revert to a previous snapshot.
I was thinking of having a little application\service run on startup to check if machine was on domain and if not add it back.
I would like to do it via C# if possible to make the domain administrator password a bit more secure can I do this?
The only possible method I have found is doing it via PowerShell but I have to pass in a domain username\password manually.
Test-ComputerSecureChannel -Repair -Credential
This happens with machines built in Hyper-V and VMware.
Thanks for you help
Upvotes: 2
Views: 239
Answers (1)
Reputation: 13578
Computer accounts have passwords like user accounts, even if you never interact with them. In an AD domain, computer passwords are used to establish the secure channel to the domain. By default, the computer account passwords do not expire. But a computer renews its password every 30 days by default (more details).
In your case, you took a snapshot of a VM. After that, this machine changed its password at some point (< 30 days). After reverting back to the snapshot, your machine used its old password again, which does not match the password inside your AD.
In conclusion, your machine is not longer connected to the domain and does not have any trust to recreate the secure channel. So you cannot use anything on your machine to rebuild it (like the computer account or any other account from the domain). You have to regain the trust by a new authentication.
I do not recommend to hard code any credentials anywhere, especially not the credentials of a domain admin. You can even reverse the password from a C# (or any) binary. It is only a matter of effort (not necessarily time!).
The only solution, I can think of, is to enlarge the period for computer account password renewal. If you can determine a reasonable timespan, where you can tell that a snapshot will for sure not be older than this, you can modify the renewal interval via GPO (more details):
- Go to
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. - There you can activate the setting
Domain member: Maximum machine account password ageand set it to a value between 1 and 999 days.
It has to be applied to a location that contains the computer accounts of your VMs. It does not necessarily have to be applied to your DCs, as the computers are changing their passwords themselves. The change is not initiated by your domain (controllers).
Security consideration: The larger the interval, the more time for a brute force attack. Choose wisely.
Upvotes: 5
Related Questions
- How to automate the backup of all VMs on a Hyper-V instance
- Get Virtual Machine names in PowerShell via C# (Hyper-V)
- Getting the name of the snapshot from a specific VM?
- Restart Hyper V machine using powershell cmdlet from C#
- Hyper-V 2012R2 Get VM snapshot file with powershell
- Remote PowerShell script doesn't apply Hyper-V Snapshot
- Hyper-V 2008R2 - get virtual machine's snapshot location
- Setting Hyper-V snapshot's name programmatically
- Powershell command to save a Hyper-V Guest state to disk
- Taking a snapshot from the command prompt for Hyper-V 2008