The trust relationship between this workstation and the primary domain failed VMware snapshot

This article describes a really quick way to fix the error "The trust relationship between this workstation and the primary domain failed" on a VMware virtual machine snapshot.  A permanent fix is also included at the end of the article.

Cause

For me, this error occurs all the time when I revert to snapshots of my virtual machines within VMware Workstation.  In fact, I already blogged about how to fix this issue on Nano Server here: http://howardsimpson.blogspot.co.uk/2017/09/fix-microsoft-nano-server-wont-logon-to-domain.html

The error actually describes the problem quite well.  The domain member and domain controller have a trust in the form of cryptographic data.  As you change snapshot, the domain member's data no longer matches the domain controller.

Fix

Shut Down

If your snapshot is shut down, the error will surface on the login screen when you boot the VM


There are two ways to fix this:

Fix 1
Firstly, you can log in as a local account...  some articles then talk about adding the workstation to a workgroup, restarting, then adding it to the domain again and restarting again!  A much faster way is to run the following command to reset the trust:

Reset-ComputerMachinePassword -credential <domain>\administrator

You can now logout of the local account and should now be able to login as a domain account.  You can even put this command in a little PowerShell script so it's even quicker to run (e.g. c:\resettrust.ps1).

Fix 2
The other way to fix this is essentially the same except that you run that command from your domain controller - simply connect to the domain member over PowerShell then reset the trust:

First, on the DC, add the workstation to trusted hosts so PowerShell can connect:
set-item wsman:\localhost\client\trustedhosts <workstation IP address>

Tip: Set a static IP address on the workstation so you don't have to change this between snapshots.

Then connect from the DC to the DM over PowerShell
Enter-PSsession -computername <workstation IP address> -credential <domain>\administrator

Once you're connected, run the same command as above to reset the trust
Reset-ComputerMachinePassword -credential <domain>\administrator

You should now be able to login to the domain member.

Booted

If your snapshot is booted, you will already be logged in to the VM so it might not be apparent that the trust relationship has failed.  Shift-right click an application and Run as different user to find out:



To fix the trust, on the DM, run the same PowerShell command as per the shut down method above:
Reset-ComputerMachinePassword -credential <domain>\administrator


You can also run the following command to verify the trust relationship:
nltest.exe /server:<workstation host name> /sc_query:<domain>


Permanent Fix

A long term permanent fix to this problem is to disable machine account password changes in group policy.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain member: Disable machine account password changes > Enabled

Comments

  1. Thank you so much for this post, it solved my issue!

    ReplyDelete
    Replies
    1. Did you try the permanent fix? That change is supposed to be put in place in the Domain Member or the Domain Controller? Didn't quite get that part.

      Delete
    2. That change is put in place by using Group Policy Management on the Domain Controller to edit group policy e.g. the Default Domain Policy. You then gpupdate or restart the Domain Member to apply the change.

      Delete
    3. Thanks, Howard! Great article, btw. I have applied the change as you instructed. Hopefully that will be the last I will of this annoying problem.

      Delete

Post a Comment

Popular posts from this blog

LG TV This app will now restart to free up more memory

LG TV Clear All Browsing History Data

Excel Import CSV not using "Use First Row as Headers"