Domain authentication fails on ESXi virtual machines after snapshot revert
search cancel

Domain authentication fails on ESXi virtual machines after snapshot revert

book

Article ID: 401521

calendar_today

Updated On: 06-18-2025

Products

VMware vSphere ESXi

Issue/Introduction

When you revert a snapshot on a Microsoft Active Directory domain-joined virtual machine, you cannot login with a service account. The service account fails to sync with the domain controller. This prevents authentication and access to domain resources.

This occurs after you perform snapshot revert operations on Windows virtual machines. The virtual machines must be joined to an Active Directory (AD) domain. The authentication failure prevents access to your virtual machine and may impact business operations.

You may see error messages such as: "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found."

Other symptoms or descriptions:

"Customer is facing issue with the virtual machine as you are not able to login to ESXi after doing revert of the snapshot." 

Environment

Seen in:

  • VMware vSphere ESXi 7.0
  • VMware ESXi hosts running Windows virtual machines joined to Active Directory domains with snapshot functionality enabled

Cause

The snapshot revert operation restores the virtual machine to a previous state with outdated computer account credentials. The Active Directory domain controller retains the current computer account password. This creates a computer account password mismatch that breaks the trust relationship between the virtual machine and domain controller.

Resolution

  1. Power off the affected virtual machine if it is currently running.

  2. Power on the virtual machine and immediately press F8 during the boot process to access the Advanced Boot Options menu.

  3. Select Safe Mode from the Advanced Boot Options menu and press Enter.

  4. Log in to the virtual machine using a local administrator account.

  5. Remove the computer from the domain:

    1. Open System Properties by right-clicking Computer and selecting Properties

    2. Click Change settings next to the computer name

    3. In the Computer Name/Domain Changes dialog, click Change

    4. Select Workgroup and enter a temporary workgroup name (for example, TEMP)

    5. Click OK and restart when prompted

  6. After the restart, access the Computer Name/Domain Changes dialog again using the steps in 5a-5c.

  7. Rejoin the domain:

    1. Select Domain and enter your Active Directory domain name

    2. Provide domain administrator credentials when prompted

    3. Click OK to complete the domain join process

  8. Restart the virtual machine to finalize the domain rejoin process.

  9. Log in using your domain service account to verify authentication is restored.

  10. Test domain resource access to confirm the issue is resolved.

Additional Information

For more information about computer account password management in Active Directory environments, see How to disable automatic machine account password changes in the Microsoft Knowledge Base.

For general information about troubleshooting trust relationship issues between workstations and domains, see Broken trust relationship between domain-joined device and its domain in Microsoft Learn.