Wednesday, June 25, 2014

Citrix PVS Target Device Trust Relationship Failed

Issue

Attempting to log into a Citrix Provisioning Services client device a user or domain administrator receives an error that the "Trust Relationship between this workstation and the primary domain has failed." This error is not seen when logging into the client as the local administrator.


Backstory

This issue is often seen when a "Golden Image" is booted to the HDD sometime after the XenConvert process has completed. It is also seen with server and client class system Target Devices deployed via Provisioning Services, often after upgrades involving Private Image mode or when machine account password management has not been properly configured. The cause is a mismatched machine account password between the device and Microsoft Active Directory.

References

TechNet: Netdom
TechNet: Reference Point: "The trust relationship between this workstation and the primary domain failed."
KB162797
CTX134340
CTX132289


Step-By-Step Guide

For a PVS Target Booting to vDisk

1.      Shut down the target device
2.      In the Provisioning Services, navigate to the device's site collection. It should show down.

3.      Right-click on the target device and in the context menu select Active Directory>Resent Machine Account Password.
4.      In the pop-up window, select the Domain and Organizational Unit of the Target Device.

5.      Finally, select Reset Account.

6.      Assuming this is successful, boot the device and log in with your Active Directory credentials.

For a PVS Target Booting to Hard Disk

Method 1 (Preferred)

1.      Log into the server as the local administrator
2.      Verify NetDom is available on your target device (it may have to be downloaded for a desktop OS)
3.      Verify the computer account is in the desired Active Directory Organizational Unit
4.      Launch cmd.exe as an administrator
5.      Run:
netdom.exe resetpwd /server:<server> /userd:<user> /passwordd:*
<Server> Specifies the domain controller to use to set the computer account password.
<User> Specifies the user account to use to make the secure connection with the domain that you specify in the /server parameter. You must specify the user account in the Domain\User format.
* Specifies the password of the user account that you specify in the /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.
6.      Reboot

Method 2

1.      Log into the server as the local administrator
2.      Remove the server from the domain using your desired method and reboot
3.      Verify the computer account has been removed from Active Directory
4.      Pre-create the computer account in the desired Active Directory Organizational Unit
5.      Re-join the target device to the domain
6.      Reboot

Method 3 (if the local administrator account is unknown and passwords are cached on the client)

1.      Unplug (or disconnect if a VM) the NIC. This should allow you to log in with cached credentials to a domain account.

Verification of Configuration

It is important that management of computer object passwords is configured properly for Citrix PVS deployments to work properly. This involves configuring the password management in both Active Directory and Provisioning Services.

PVS & Active Directory Settings

1.      In the Citrix PVS Console, navigate to the desired site and Servers node.
2.      Right-Click on each server and select Properties.
3.      In the options tab make sure your server is configured to manage computer accounts. The days between updates is usually left at 7 but may be changed if desired.

4.      Next verify the vDisk in use is managed properly by navigating the vDisk Pool node and right-clicking on the desired disk. Select Properties from the context menu.
5.      On the General tab, verify Enable Active Directory machine account password management is checked (the screen shot is greyed out because this disk is online and cannot be changed).

6.      Now move from PVS to Microsoft's Group Policy Management MMC.
7.      It is important that machine account password changes be disabled for the Organizational Unit that hosts Target Devices and the maximum machine account password age must be set. This value must be greater than the number of days specified above in the PVS console.

2 comments: