Veeam Backup and Replication, is a fantastic product for managing VM backup, replication to other data centers, and recovery. You can find details on the Backup and Replication product as well as on the monitoring application called VeeamOne at the website, www.veeam.com.
This post describes an bit of a problem that I encountered with a virtual machine that I had restored from an earlier backup. After a recent upgrade of the VMware infrastructure from 4.1 to 5.1, I wanted to insure that the recovery part of “disaster recovery” was working OK. I use Veeam’s Reverse Incremental backup strategy which essentially means that every time a backup runs, the changed blocks from the previous backup are stored as an incremental and the new changed blocks are merged in to the existing Full backup making that backup the most recent, and most authoritative one. Reverse Incremental differs dramatically from the traditional Forward incremental where a periodic Full backup is taken and successive backups just include the changed blocks comprising the VMs files.
To test the recovery, I selected a virtual machine and started an Instant Recovery operation. Instant Recovery allows you to bring up a VM from any point in time backup and run it, login, check functionality and if decide to keep it, migrate it to replace the current VM. In order to run the Instant Recover, the current VM must be shot down as it uses the IP address originally assigned to the VM.
This particular VM is a domain member server. I start the Instant Recovery, the recovery VM is created and I establish a Remote Desktop session and login using my credentials.
To my surprise, I receive an error message saying that “The trust relationship between this workstation and the primary domain failed.” What does this mean, exactly? If you ask Mr. Google or Mr. Bing for a solution, they will tell you words to the effect that the computer’s password must be reset.
The error means that the computer failed to login to the domain. Each computer has a SID which represents its account in the Domain. If the computer hasn’t logged in to the domain in 30 days or so, then the computer account is “locked out”. You see when a user is locked out of the domain in Active Directory Users and Computers (ADUC). You can also tell if a computer is locked out from the red X by the computer name.
I don’t know why a recovery of a VM from a very recent backup produced this error but I can tell you a simple solution I found that doesn’t involve resetting the computer account in ADUC or going through the remove the server from AD, login to the server, remove it from the domain or delete the AD computer account, and then rejoin the domain.
The simple solution is to logon to the server as a local administrator. You do remember the local computer Administrator account and password, don’t you? Once logged in open a command prompt with elevated privileges (Run as Administrator). Type the following command:
Netdom.exe resetpwd /server:<domain controller> /Ud:<domain user> /pd:*
This command will reset the computer’s password. Logout and then log back in using your domain credentials.
This posting is provided “as is” with no warranties, guarantees or rights whatsoever.