The trust relationship between this workstation and the primary domain failed VMware snapshot
This article describes a really quick way to fix the error "The trust relationship between this workstation and the primary domain failed" on a VMware virtual machine snapshot. A permanent fix is also included at the end of the article.
Cause
For me, this error occurs all the time when I revert to snapshots of my virtual machines within VMware Workstation. In fact, I already blogged about how to fix this issue on Nano Server here: http://howardsimpson.blogspot.co.uk/2017/09/fix-microsoft-nano-server-wont-logon-to-domain.html
The error actually describes the problem quite well. The domain member and domain controller have a trust in the form of cryptographic data. As you change snapshot, the domain member's data no longer matches the domain controller.
The error actually describes the problem quite well. The domain member and domain controller have a trust in the form of cryptographic data. As you change snapshot, the domain member's data no longer matches the domain controller.
Fix
Shut Down
If your snapshot is shut down, the error will surface on the login screen when you boot the VM
There are two ways to fix this:
Fix 1
Firstly, you can log in as a local account... some articles then talk about adding the workstation to a workgroup, restarting, then adding it to the domain again and restarting again! A much faster way is to run the following command to reset the trust:
Reset-ComputerMachinePassword -credential <domain>\administrator
You can now logout of the local account and should now be able to login as a domain account. You can even put this command in a little PowerShell script so it's even quicker to run (e.g. c:\resettrust.ps1).
Fix 2
The other way to fix this is essentially the same except that you run that command from your domain controller - simply connect to the domain member over PowerShell then reset the trust:
Fix 1
Firstly, you can log in as a local account... some articles then talk about adding the workstation to a workgroup, restarting, then adding it to the domain again and restarting again! A much faster way is to run the following command to reset the trust:
Reset-ComputerMachinePassword -credential <domain>\administrator
You can now logout of the local account and should now be able to login as a domain account. You can even put this command in a little PowerShell script so it's even quicker to run (e.g. c:\resettrust.ps1).
Fix 2
The other way to fix this is essentially the same except that you run that command from your domain controller - simply connect to the domain member over PowerShell then reset the trust:
First, on the DC, add the workstation to trusted hosts so PowerShell can connect:
set-item wsman:\localhost\client\trustedhosts <workstation IP address>
Tip: Set a static IP address on the workstation so you don't have to change this between snapshots.
Then connect from the DC to the DM over PowerShell
Enter-PSsession -computername <workstation IP address> -credential <domain>\administrator
Once you're connected, run the same command as above to reset the trust
Reset-ComputerMachinePassword -credential <domain>\administrator
You should now be able to login to the domain member.
Booted
If your snapshot is booted, you will already be logged in to the VM so it might not be apparent that the trust relationship has failed. Shift-right click an application and Run as different user to find out:
To fix the trust, on the DM, run the same PowerShell command as per the shut down method above:
To fix the trust, on the DM, run the same PowerShell command as per the shut down method above:
Reset-ComputerMachinePassword -credential <domain>\administrator
You can also run the following command to verify the trust relationship:
nltest.exe
/server:<workstation host name> /sc_query:<domain>
Permanent Fix
A long term permanent fix to this problem is to disable machine account password changes in group policy.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain member: Disable machine account password changes > Enabled
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain member: Disable machine account password changes > Enabled
Thank you so much for this post, it solved my issue!
ReplyDeleteDid you try the permanent fix? That change is supposed to be put in place in the Domain Member or the Domain Controller? Didn't quite get that part.
DeleteThat change is put in place by using Group Policy Management on the Domain Controller to edit group policy e.g. the Default Domain Policy. You then gpupdate or restart the Domain Member to apply the change.
DeleteThanks, Howard! Great article, btw. I have applied the change as you instructed. Hopefully that will be the last I will of this annoying problem.
Delete